Platform
wordpress
Component
tutor-pro
Fixed in
3.9.6
CVE-2026-0953 describes an authentication bypass vulnerability affecting the Tutor LMS Pro plugin for WordPress. This flaw allows unauthenticated attackers to gain unauthorized access to user accounts, potentially including administrator privileges. The vulnerability impacts versions 0.0.0 through 3.9.5 of the plugin, and a fix is available in version 3.9.6.
The impact of this vulnerability is severe. An attacker can leverage a valid OAuth token from their own account, combined with a victim's email address, to bypass authentication and log in as that user. This grants them full access to the victim's account, including the ability to modify course content, student data, and plugin settings. For administrator accounts, the attacker could completely compromise the WordPress site, leading to data breaches, malware installation, or website defacement. The ease of exploitation, requiring only a valid OAuth token and email address, significantly increases the risk of widespread attacks.
This vulnerability was publicly disclosed on 2026-03-10. While no active exploitation campaigns have been confirmed, the ease of exploitation and the plugin's popularity suggest a high probability of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread attacks.
Exploit Status
EPSS
0.06% (20% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade the Tutor LMS Pro plugin to version 3.9.6 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the Social Login addon to prevent exploitation. Review WordPress user accounts for any suspicious activity. Implement stricter OAuth application permissions to limit the scope of tokens issued. Monitor WordPress access logs for unusual login attempts, particularly those involving OAuth providers. After upgrading, confirm the fix by attempting a login with a different email address using a valid OAuth token – the login should be denied.
Update to version 3.9.6, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-0953 is a critical vulnerability in the Tutor LMS Pro WordPress plugin allowing attackers to bypass authentication and log in as any user, including administrators, by exploiting OAuth token validation flaws.
If you are using Tutor LMS Pro versions 0.0.0 through 3.9.5 and have the Social Login addon enabled, you are potentially affected by this vulnerability. Upgrade immediately.
Upgrade the Tutor LMS Pro plugin to version 3.9.6 or later. If upgrading is not possible, temporarily disable the Social Login addon.
While no active exploitation campaigns have been confirmed, the ease of exploitation suggests a high probability of attacks. Monitor your systems closely.
Refer to the official Tutor LMS website and WordPress plugin repository for the latest advisory and update information regarding CVE-2026-0953.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.