CVE-2026-25406 — Authentication Bypass Using an Alternate Path or Channel in Tutor LMS PRO

CWE-288 — Authentication Bypass Using an Alternate Path or Channel4 documents4 sources

Severity

8.8HIGHNVD

EPSS

0.1%

top 82.58%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Themeum Tutor LMS PRO

Timeline

PublishedMar 25

Description

Authentication Bypass Using an Alternate Path or Channel vulnerability in Themeum Tutor LMS Pro tutor-pro allows Authentication Abuse.This issue affects Tutor LMS Pro: from n/a through <= 3.9.4.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages1 packages

▶CVEListV5themeum/tutor_lms_pron/a — <= 3.9.4

🔴Vulnerability Details

GHSA

GHSA-gfhq-r659-4ww9: Authentication Bypass Using an Alternate Path or Channel vulnerability in Themeum Tutor LMS Pro tutor-pro allows Authentication Abuse↗2026-03-25

▶

CVEList

WordPress Tutor LMS Pro plugin <= 3.9.4 - Broken Authentication vulnerability↗2026-03-25

▶

🕵️Threat Intelligence

Wiz

CVE-2026-25406 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶