Platform
wordpress
Component
tutor-pro
Opgelost in
3.9.6
CVE-2026-0953 describes an authentication bypass vulnerability affecting the Tutor LMS Pro plugin for WordPress. This flaw allows unauthenticated attackers to gain unauthorized access to user accounts, potentially including administrator privileges. The vulnerability impacts versions 0.0.0 through 3.9.5 of the plugin, and a fix is available in version 3.9.6.
The impact of this vulnerability is severe. An attacker can leverage a valid OAuth token from their own account, combined with a victim's email address, to bypass authentication and log in as that user. This grants them full access to the victim's account, including the ability to modify course content, student data, and plugin settings. For administrator accounts, the attacker could completely compromise the WordPress site, leading to data breaches, malware installation, or website defacement. The ease of exploitation, requiring only a valid OAuth token and email address, significantly increases the risk of widespread attacks.
This vulnerability was publicly disclosed on 2026-03-10. While no active exploitation campaigns have been confirmed, the ease of exploitation and the plugin's popularity suggest a high probability of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread attacks.
WordPress sites utilizing the Tutor LMS Pro plugin, particularly those relying on the Social Login addon, are at significant risk. Shared hosting environments where multiple WordPress installations share resources are also vulnerable, as a compromise of one site could potentially impact others. Sites with legacy configurations or those that haven't implemented robust security practices are especially susceptible.
• wordpress / composer / npm:
grep -r "validate_oauth_token" /var/www/html/wp-content/plugins/tutor-lms-pro/• wordpress / composer / npm:
wp plugin list --status=inactive | grep tutor-lms-pro• wordpress / composer / npm:
wp plugin list | grep tutor-lms-pro --versiondisclosure
Exploit Status
EPSS
0.06% (20% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation is to immediately upgrade the Tutor LMS Pro plugin to version 3.9.6 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the Social Login addon to prevent exploitation. Review WordPress user accounts for any suspicious activity. Implement stricter OAuth application permissions to limit the scope of tokens issued. Monitor WordPress access logs for unusual login attempts, particularly those involving OAuth providers. After upgrading, confirm the fix by attempting a login with a different email address using a valid OAuth token – the login should be denied.
Update naar versie 3.9.6, of een nieuwere gepatchte versie
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-0953 is a critical vulnerability in the Tutor LMS Pro WordPress plugin allowing attackers to bypass authentication and log in as any user, including administrators, by exploiting OAuth token validation flaws.
If you are using Tutor LMS Pro versions 0.0.0 through 3.9.5 and have the Social Login addon enabled, you are potentially affected by this vulnerability. Upgrade immediately.
Upgrade the Tutor LMS Pro plugin to version 3.9.6 or later. If upgrading is not possible, temporarily disable the Social Login addon.
While no active exploitation campaigns have been confirmed, the ease of exploitation suggests a high probability of attacks. Monitor your systems closely.
Refer to the official Tutor LMS website and WordPress plugin repository for the latest advisory and update information regarding CVE-2026-0953.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.