WordPress Plugin Vulnerabilities

Tutor LMS < 3.9.13 - Subscriber+ Arbitrary Auto-Approved Comment Creation

Description

The plugin does not perform any authorization or post-target validation before creating a comment in one of its handlers, and stores the comment pre-approved, allowing authenticated users with subscriber-level access and above to post auto-approved comments containing arbitrary HTML and links on any content across the site, bypassing the comment moderation queue.

Proof of Concept

Affects Plugins

Fixed in 3.9.13

References

Classification

Type
ACCESS CONTROLS
CWE

Miscellaneous

Original Researcher
Muni Nitish Kumar Yaddala
Submitter
Muni Nitish Kumar Yaddala
Verified
Yes

Timeline

Publicly Published
2026-06-22 (about 22 days ago)
Added
2026-06-22 (about 21 days ago)
Last Updated
2026-06-22 (about 21 days ago)

Other