PatchSiren cyber security CVE debrief
CVE-2026-12273 Tutor LMS CVE debrief
The Tutor LMS WordPress plugin before version 3.9.13 has a vulnerability that allows authenticated users with subscriber-level access and above to post auto-approved comments containing arbitrary HTML and links on any content across the site, bypassing the comment moderation queue. This vulnerability is considered medium severity and has been publicly disclosed. Users of the Tutor LMS WordPress plugin, especially those with subscriber-level access and above, should be aware of this vulnerability and take necessary precautions to prevent exploitation.
- Vendor
- Tutor LMS
- Product
- Tutor LMS WordPress plugin
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-13
- Original CVE updated
- 2026-07-13
- Advisory published
- 2026-07-13
- Advisory updated
- 2026-07-13
Who should care
Users of the Tutor LMS WordPress plugin, especially those with subscriber-level access and above, should be aware of this vulnerability and take necessary precautions to prevent exploitation. This includes updating the plugin to version 3.9.13 or later, restricting comment posting to authorized users only, and monitoring comments for suspicious activity. Additionally, operators and security teams should review the vulnerability's impact on their platforms and implement compensating controls if necessary.
Technical summary
The Tutor LMS WordPress plugin before version 3.9.13 does not perform any authorization or post-target validation before creating a comment in one of its handlers, and stores the comment pre-approved. This allows authenticated users with subscriber-level access and above to post auto-approved comments containing arbitrary HTML and links on any content across the site, bypassing the comment moderation queue. The vulnerability has been publicly disclosed and is considered medium severity.
Defensive priority
Medium
Recommended defensive actions
- Update the Tutor LMS WordPress plugin to version 3.9.13 or later
- Restrict comment posting to authorized users only
- Monitor comments for suspicious activity
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The CVE record was published on 2026-07-13T07:16:27.733Z and has not been modified since then. The NVD entry is currently Received. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The CVE record does not provide details on the vulnerability's operational impact or potential mitigations.
Official resources
-
CVE-2026-12273 CVE record
CVE.org
-
CVE-2026-12273 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T07:16:27.733Z and has not been modified since then. The NVD entry is currently Received.