Plateforme
wordpress
Composant
tutor-pro
Corrigé dans
3.9.6
CVE-2026-0953 describes an authentication bypass vulnerability affecting the Tutor LMS Pro plugin for WordPress. This flaw allows unauthenticated attackers to gain unauthorized access to user accounts, potentially including administrator privileges. The vulnerability impacts versions 0.0.0 through 3.9.5 of the plugin, and a fix is available in version 3.9.6.
The impact of this vulnerability is severe. An attacker can leverage a valid OAuth token from their own account, combined with a victim's email address, to bypass authentication and log in as that user. This grants them full access to the victim's account, including the ability to modify course content, student data, and plugin settings. For administrator accounts, the attacker could completely compromise the WordPress site, leading to data breaches, malware installation, or website defacement. The ease of exploitation, requiring only a valid OAuth token and email address, significantly increases the risk of widespread attacks.
This vulnerability was publicly disclosed on 2026-03-10. While no active exploitation campaigns have been confirmed, the ease of exploitation and the plugin's popularity suggest a high probability of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread attacks.
WordPress sites utilizing the Tutor LMS Pro plugin, particularly those relying on the Social Login addon, are at significant risk. Shared hosting environments where multiple WordPress installations share resources are also vulnerable, as a compromise of one site could potentially impact others. Sites with legacy configurations or those that haven't implemented robust security practices are especially susceptible.
• wordpress / composer / npm:
grep -r "validate_oauth_token" /var/www/html/wp-content/plugins/tutor-lms-pro/• wordpress / composer / npm:
wp plugin list --status=inactive | grep tutor-lms-pro• wordpress / composer / npm:
wp plugin list | grep tutor-lms-pro --versiondisclosure
Statut de l'Exploit
EPSS
0.06% (percentile 20%)
CISA SSVC
Vecteur CVSS
The primary mitigation is to immediately upgrade the Tutor LMS Pro plugin to version 3.9.6 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the Social Login addon to prevent exploitation. Review WordPress user accounts for any suspicious activity. Implement stricter OAuth application permissions to limit the scope of tokens issued. Monitor WordPress access logs for unusual login attempts, particularly those involving OAuth providers. After upgrading, confirm the fix by attempting a login with a different email address using a valid OAuth token – the login should be denied.
Mettre à jour vers la version 3.9.6, ou une version corrigée plus récente
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-0953 is a critical vulnerability in the Tutor LMS Pro WordPress plugin allowing attackers to bypass authentication and log in as any user, including administrators, by exploiting OAuth token validation flaws.
If you are using Tutor LMS Pro versions 0.0.0 through 3.9.5 and have the Social Login addon enabled, you are potentially affected by this vulnerability. Upgrade immediately.
Upgrade the Tutor LMS Pro plugin to version 3.9.6 or later. If upgrading is not possible, temporarily disable the Social Login addon.
While no active exploitation campaigns have been confirmed, the ease of exploitation suggests a high probability of attacks. Monitor your systems closely.
Refer to the official Tutor LMS website and WordPress plugin repository for the latest advisory and update information regarding CVE-2026-0953.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.