Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Subscriber-level authentication (PR:L) is required; impact is limited to integrity injection with no confidentiality or availability exposure, and scope is unchanged.
Primary rating from Vendor (WPScan).
CVSS VectorVendor: WPScan
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
5DescriptionCVE.org
The Tutor LMS WordPress plugin before 3.9.13 does not perform any authorization or post-target validation before creating a comment in one of its handlers, and stores the comment pre-approved, allowing authenticated users with subscriber-level access and above to post auto-approved comments containing arbitrary HTML and links on any content across the site, bypassing the comment moderation queue.
AnalysisAI
Tutor LMS WordPress plugin (all versions before 3.9.13) allows authenticated users with subscriber-level access to post auto-approved comments containing arbitrary HTML and external links on any site content, bypassing the comment moderation queue entirely. The vulnerable comment handler performs no authorization check and no post-target validation before creating comments, making this exploitable by any registered user on sites with open registration - a common LMS deployment pattern. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid WordPress account with at minimum subscriber-level privileges. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The official CVSS 3.1 score of 4.3 (Medium) accurately captures the constrained technical scope: network vector (AV:N), low complexity (AC:L), low privileges required (PR:L - subscriber), no user interaction (UI:N), unchanged scope (S:U), and integrity-only impact (I:L) with no confidentiality or availability consequence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker self-registers a free subscriber account on a WordPress site running Tutor LMS before 3.9.13 - a typical scenario on sites offering public course enrollment. Using the publicly available WPScan POC, the attacker sends a crafted request to the plugin's comment handler targeting a high-traffic course page or blog post, including HTML containing phishing links or malicious redirects. … |
| Remediation | Upgrade Tutor LMS to version 3.9.13 or later, which is the vendor-released patch that introduces proper authorization checks and post-target validation in the affected comment handler (patch available per vendor advisory at https://wpscan.com/vulnerability/93031a51-fd53-48a0-a420-0024bbdaf45b/). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to time-based SQL Injection via
The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data
The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data
Several AJAX endpoints in the Tutor LMS - eLearning and online course solution WordPress plugin before 1.7.7 were unprot
The Tutor LMS plugin for WordPress is vulnerable to SQL Injection via the ‘rating_filter’ parameter in all versions up t
The Tutor LMS WordPress plugin before 2.2.1 does not implement adequate permission checks for REST API endpoints, allowi
Broken authorization in the Tutor LMS WordPress plugin (before 3.9.13) lets authenticated subscriber-level users bypass
Broken object-level authorization in the Tutor LMS WordPress plugin before 3.9.13 allows any authenticated instructor-le
The tutor_answering_quiz_question/get_answer_by_id function pair from the Tutor LMS - eLearning and online course soluti
The tutor_place_rating AJAX action from the Tutor LMS - eLearning and online course solution WordPress plugin before 1.7
The tutor_quiz_builder_get_question_form AJAX action from the Tutor LMS - eLearning and online course solution WordPress
The tutor_quiz_builder_get_answers_by_question AJAX action from the Tutor LMS - eLearning and online course solution Wor
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43288
GHSA-cwrv-whxp-7g78