CVE-2026-0953Improper Authentication in Tutor LMS PRO

CWE-287Improper Authentication5 documents5 sources
Severity
9.8CRITICALNVD
EPSS
0.1%
top 74.39%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Themeum Tutor LMS PRO
Timeline
PublishedMar 10

Description

The Tutor LMS Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 3.9.5 via the Social Login addon. This is due to the plugin failing to verify that the email provided in the authentication request matches the email from the validated OAuth token. This makes it possible for unauthenticated attackers to log in as any existing user, including administrators, by supplying a valid OAuth token from their own account along with the victim's email addre

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

CVEListV5themeum/tutor_lms_pro3.9.5

🔴Vulnerability Details

3
GHSA
GHSA-46hh-8mqf-62rx: The Tutor LMS Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 32026-03-10
CVEList
Tutor LMS Pro <= 3.9.5 - Authentication Bypass via Social Login2026-03-10
VulnCheck
themeum tutor_lms Improper Authentication2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-0953 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-0953 — Improper Authentication | cvebase