Attack Vectors
Tutor LMS Pro (slug: tutor-pro) is affected by CVE-2026-0953, a Critical authentication bypass vulnerability (CVSS 9.8, vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) impacting all versions up to and including 3.9.5 when the Social Login add-on is in use.
Because this issue is exploitable over the network with no prior access required, an unauthenticated attacker can target the public-facing login flows. The reported scenario allows an attacker to present a valid OAuth token from their own social account while supplying the email address of a victim user on your WordPress site. If successful, the attacker can log in as that existing user, including administrators.
Source: Wordfence vulnerability record | CVE record: https://www.cve.org/CVERecord?id=CVE-2026-0953
Security Weakness
The core weakness is a verification gap in the Social Login authentication process. The plugin fails to verify that the email address provided in the authentication request matches the email address associated with the validated OAuth token.
In practical business terms, this breaks the “identity binding” step that should ensure the social identity being authenticated is the same person as the WordPress user being logged in. When that check is missing, the login flow can be abused to impersonate other users by mixing a legitimate OAuth token with a different (victim) email.
Remediation: Update Tutor LMS Pro to version 3.9.6 or a newer patched version.
Technical or Business Impacts
This vulnerability can enable full account takeover. If an attacker impersonates an administrator, they may be able to change site settings, create new admin users, modify content, and alter integrations—effectively taking operational control of the website and the learning platform experience.
From a business-risk perspective, likely impacts include brand damage (defaced pages or malicious redirects), loss of customer trust (unauthorized access to learner/instructor accounts), disruption of course sales or enrollments, and downstream exposure through connected systems (email marketing tools, analytics, CRM, payment-related workflows, or third-party APIs configured in WordPress).
For compliance and governance teams, an admin-level compromise can trigger incident response obligations, including investigation costs, required notifications (depending on data accessed), and audit findings related to access control and identity management.
Similar Attacks
Critical authentication and session-related vulnerabilities are frequently used for rapid takeover because they bypass normal credential controls. Examples of high-impact real-world vulnerabilities in this category include:
Atlassian Confluence (CVE-2023-22515) advisory
Citrix NetScaler (CVE-2023-4966) security bulletin
Cloudflare write-up on CitrixBleed exploitation patterns
Recent Comments