top of page
perceptive_background_267k.jpg

The Tutor LMS Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 3.9.5 via the Social Login addon. This is du…

Published:

9 maart 2026 om 23:00:00

Alert date:

10 maart 2026 om 18:06:15

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies, Identity & Access

The Tutor LMS Pro plugin for WordPress versions up to 3.9.5 contains a critical authentication bypass vulnerability in its Social Login addon. The flaw occurs because the plugin fails to verify that the email provided in authentication requests matches the email from validated OAuth tokens. This allows unauthenticated attackers to log in as any existing user, including administrators, by combining a valid OAuth token from their own account with a victim's email address. The vulnerability affects all versions up to and including 3.9.5 and poses a significant security risk to WordPress sites using this plugin.

Technical details

Mitigation steps:

Affected products:

Tutor LMS Pro
WordPress

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-0953
https://tutorlms.com/releases/id/393/
https://www.wordfence.com/threat-intel/vulnerabilities/id/92a120ac-66ae-4678-a87a-e62da885d50b?source=cve

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page