Skip to main content

Tutor LMS CVE-2026-12273

| EUVDEUVD-2026-43288 MEDIUM
2026-07-13 WPScan GHSA-cwrv-whxp-7g78
4.3
CVSS 3.1 · Vendor: WPScan
Share

Severity by source

Vendor (WPScan) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
4.3 MEDIUM

Subscriber-level authentication (PR:L) is required; impact is limited to integrity injection with no confidentiality or availability exposure, and scope is unchanged.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (WPScan).

CVSS VectorVendor: WPScan

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

5
Analysis Generated
Jul 13, 2026 - 19:36 vuln.today
CVSS changed
Jul 13, 2026 - 19:07 NVD
4.3 (MEDIUM)
Patch available
Jul 13, 2026 - 08:01 EUVD
CVE Published
Jul 13, 2026 - 06:00 cve.org
MEDIUM 4.3
CVE Published
Jul 13, 2026 - 06:00 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

The Tutor LMS WordPress plugin before 3.9.13 does not perform any authorization or post-target validation before creating a comment in one of its handlers, and stores the comment pre-approved, allowing authenticated users with subscriber-level access and above to post auto-approved comments containing arbitrary HTML and links on any content across the site, bypassing the comment moderation queue.

AnalysisAI

Tutor LMS WordPress plugin (all versions before 3.9.13) allows authenticated users with subscriber-level access to post auto-approved comments containing arbitrary HTML and external links on any site content, bypassing the comment moderation queue entirely. The vulnerable comment handler performs no authorization check and no post-target validation before creating comments, making this exploitable by any registered user on sites with open registration - a common LMS deployment pattern. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register or obtain subscriber-level WordPress account
Delivery
Identify target post or course page
Exploit
Send crafted POST request to vulnerable comment handler
Execution
Comment stored pre-approved, bypassing moderation queue
Impact
Arbitrary HTML and phishing links rendered publicly on target content

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid WordPress account with at minimum subscriber-level privileges. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The official CVSS 3.1 score of 4.3 (Medium) accurately captures the constrained technical scope: network vector (AV:N), low complexity (AC:L), low privileges required (PR:L - subscriber), no user interaction (UI:N), unchanged scope (S:U), and integrity-only impact (I:L) with no confidentiality or availability consequence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker self-registers a free subscriber account on a WordPress site running Tutor LMS before 3.9.13 - a typical scenario on sites offering public course enrollment. Using the publicly available WPScan POC, the attacker sends a crafted request to the plugin's comment handler targeting a high-traffic course page or blog post, including HTML containing phishing links or malicious redirects. …
Remediation Upgrade Tutor LMS to version 3.9.13 or later, which is the vendor-released patch that introduces proper authorization checks and post-target validation in the affected comment handler (patch available per vendor advisory at https://wpscan.com/vulnerability/93031a51-fd53-48a0-a420-0024bbdaf45b/). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-1751 HIGH POC
8.8 Mar 13

The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to time-based SQL Injection via

CVE-2024-4351 HIGH
8.8 May 16

The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data

CVE-2024-4352 HIGH
8.8 May 16

The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data

CVE-2021-24184 HIGH POC
8.8 Apr 05

Several AJAX endpoints in the Tutor LMS - eLearning and online course solution WordPress plugin before 1.7.7 were unprot

CVE-2024-10400 HIGH POC
7.5 Nov 21

The Tutor LMS plugin for WordPress is vulnerable to SQL Injection via the ‘rating_filter’ parameter in all versions up t

CVE-2023-3133 HIGH POC
7.5 Jul 04

The Tutor LMS WordPress plugin before 2.2.1 does not implement adequate permission checks for REST API endpoints, allowi

CVE-2026-12275 HIGH POC
7.1 Jul 13

Broken authorization in the Tutor LMS WordPress plugin (before 3.9.13) lets authenticated subscriber-level users bypass

CVE-2026-12274 MEDIUM POC
6.5 Jul 13

Broken object-level authorization in the Tutor LMS WordPress plugin before 3.9.13 allows any authenticated instructor-le

CVE-2021-24186 MEDIUM POC
6.5 Apr 05

The tutor_answering_quiz_question/get_answer_by_id function pair from the Tutor LMS - eLearning and online course soluti

CVE-2021-24185 MEDIUM POC
6.5 Apr 05

The tutor_place_rating AJAX action from the Tutor LMS - eLearning and online course solution WordPress plugin before 1.7

CVE-2021-24183 MEDIUM POC
6.5 Apr 05

The tutor_quiz_builder_get_question_form AJAX action from the Tutor LMS - eLearning and online course solution WordPress

CVE-2021-24182 MEDIUM POC
6.5 Apr 05

The tutor_quiz_builder_get_answers_by_question AJAX action from the Tutor LMS - eLearning and online course solution Wor

Share

CVE-2026-12273 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy