PatchSiren

Tutor LMS CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

Review Tutor LMS CVE published 2026-07-13

CVE-2026-12275

The Tutor LMS WordPress plugin before 3.9.13 has a vulnerability in its Droip and Kirki page-builder integration. This vulnerability allows authenticated users with subscriber-level access to enroll in paid or private courses without authorization, read private course content, and mark arbitrary courses as completed on sites where the Droip or Kirki integration is active.

Review Tutor LMS CVE published 2026-07-13

CVE-2026-12273

The Tutor LMS WordPress plugin before version 3.9.13 has a vulnerability that allows authenticated users with subscriber-level access and above to post auto-approved comments containing arbitrary HTML and links on any content across the site, bypassing the comment moderation queue. This vulnerability is considered medium severity and has been publicly disclosed. Users of the Tutor LMS WordPress plugin, es [truncated]