WordPress Plugin Vulnerabilities
Tutor LMS < 3.9.13 - Subscriber+ Arbitrary Auto-Approved Comment Creation
Description
The plugin does not perform any authorization or post-target validation before creating a comment in one of its handlers, and stores the comment pre-approved, allowing authenticated users with subscriber-level access and above to post auto-approved comments containing arbitrary HTML and links on any content across the site, bypassing the comment moderation queue.
Proof of Concept
Affects Plugins
References
CVE
Classification
Type
ACCESS CONTROLS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Muni Nitish Kumar Yaddala
Submitter
Muni Nitish Kumar Yaddala
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2026-06-22 (about 22 days ago)
Added
2026-06-22 (about 21 days ago)
Last Updated
2026-06-22 (about 21 days ago)