4 matches found
CVE-2026-12273
The Tutor LMS WordPress plugin before 3.9.13 does not perform any authorization or post-target validation before creating a comment in one of its handlers, and stores the comment pre-approved, allowing authenticated users with subscriber-level access and above to post auto-approved comments...
CVE-2026-12273 Tutor LMS < 3.9.13 - Subscriber+ Arbitrary Auto-Approved Comment Creation
The Tutor LMS WordPress plugin before 3.9.13 does not perform any authorization or post-target validation before creating a comment in one of its handlers, and stores the comment pre-approved, allowing authenticated users with subscriber-level access and above to post auto-approved comments...
CVE-2026-33290 WPGraphQL Repo's updateComment allows low-privileged authenticated users to change comment moderation status (comment_approved) without moderate_comments permission
WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.10.0, an authorization flaw in updateComment allows an authenticated low-privileged user including a custom role with zero capabilities to change moderation status of their own comment for example to APPROVE without the...
CVE-2026-33290
WPGraphQL (WordPress) before 2.10.0 has an authorization flaw in updateComment that lets authenticated low-privileged users (including roles with zero capabilities) alter their own comment’s moderation status (e.g., APPROVE) without moderate_comments permission. Details from the CVE show owner-ba...