CVE-2026-0953

The Tutor LMS Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 3.9.5 via the Social Login addon. This is due to the plugin failing to verify that the email provided in the authentication request matches the email from the validated OAuth token. This makes it possible for unauthenticated attackers to log in as any existing user, including administrators, by supplying a valid OAuth token from their own account along with the victim's email address.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://tutorlms.com/releases/id/393/
https://www.wordfence.com/threat-intel/vulnerabilities/id/92a120ac-66ae-4678-a87a-e62da885d50b?source=cve

Configurations

No configuration.

History

22 Apr 2026, 21:27

Type	Values Removed	Values Added
Summary		(es) El plugin Tutor LMS Pro para WordPress es vulnerable a una omisión de autenticación en todas las versiones hasta la 3.9.5, inclusive, a través del complemento Social Login. Esto se debe a que el plugin no verifica que el correo electrónico proporcionado en la solicitud de autenticación coincida con el correo electrónico del token OAuth validado. Esto hace posible que atacantes no autenticados inicien sesión como cualquier usuario existente, incluidos los administradores, al proporcionar un token OAuth válido de su propia cuenta junto con la dirección de correo electrónico de la víctima.

10 Mar 2026, 17:31

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-10 17:31

Updated : 2026-06-17 10:11

NVD link : CVE-2026-0953

Mitre link : CVE-2026-0953

CVE.ORG link : CVE-2026-0953

JSON object : View

Products Affected

No product.

CWE

CWE-287

Improper Authentication

{"id": "CVE-2026-0953", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-0953", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "yes"}, {"technicalImpact": "total"}], "version": "2.0.3", "timestamp": "2026-03-10T15:58:52.010194Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "security@wordfence.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "affected": [{"source": "security@wordfence.com", "affectedData": [{"vendor": "themeum", "product": "Tutor LMS Pro", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.9.5"}], "defaultStatus": "unaffected"}]}], "published": "2026-03-10T17:31:40.537", "references": [{"url": "https://tutorlms.com/releases/id/393/", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/92a120ac-66ae-4678-a87a-e62da885d50b?source=cve", "source": "security@wordfence.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "security@wordfence.com", "description": [{"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "The Tutor LMS Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 3.9.5 via the Social Login addon. This is due to the plugin failing to verify that the email provided in the authentication request matches the email from the validated OAuth token. This makes it possible for unauthenticated attackers to log in as any existing user, including administrators, by supplying a valid OAuth token from their own account along with the victim's email address."}, {"lang": "es", "value": "El plugin Tutor LMS Pro para WordPress es vulnerable a una omisi\u00f3n de autenticaci\u00f3n en todas las versiones hasta la 3.9.5, inclusive, a trav\u00e9s del complemento Social Login. Esto se debe a que el plugin no verifica que el correo electr\u00f3nico proporcionado en la solicitud de autenticaci\u00f3n coincida con el correo electr\u00f3nico del token OAuth validado. Esto hace posible que atacantes no autenticados inicien sesi\u00f3n como cualquier usuario existente, incluidos los administradores, al proporcionar un token OAuth v\u00e1lido de su propia cuenta junto con la direcci\u00f3n de correo electr\u00f3nico de la v\u00edctima."}], "lastModified": "2026-06-17T10:11:40.757", "sourceIdentifier": "security@wordfence.com"}