Critical Auth Bypass in Tutor LMS Pro Exposes 30,000+

Executive Summary

A critical authentication bypass vulnerability (CVE-2026-0953) has been discovered in the Tutor LMS Pro plugin for WordPress, affecting over 30,000 active installations. The flaw resides in the plugin's Social Login addon and carries a CVSS score of 9.8 — the second-highest possible rating.

The vulnerability allows an unauthenticated attacker to bypass authentication entirely and log in as any registered user, including site administrators. The root cause is a failure to validate that the email address submitted in a social login request matches the email associated with the verified OAuth token.

Organizations running Tutor LMS Pro version 3.9.5 or earlier with the Social Login feature enabled should update to version 3.9.6 immediately or disable the Social Login addon until patched.

Vulnerability Overview

Attribute	Value
CVE ID	CVE-2026-0953
CVSS Score	9.8 (Critical)
CWE	CWE-287 — Improper Authentication
Type	Authentication Bypass / Account Takeover
Attack Vector	Network
Privileges Required	None (unauthenticated)
User Interaction	None
Scope	Changed
Confidentiality Impact	High
Integrity Impact	High
Availability Impact	High
Patch Available	Yes — version 3.9.6+

Affected Versions

Plugin	Affected Versions	Fixed Version
Tutor LMS Pro	<= 3.9.5 (all, with Social Login enabled)	3.9.6

Technical Analysis

Root Cause

The Tutor LMS Pro Social Login addon integrates with OAuth providers (Google, Facebook, etc.) to allow users to sign in via social accounts. During the authentication flow, the plugin receives an OAuth token from the provider along with a user-supplied email address.

The critical flaw: the plugin does not verify that the email in the login request matches the email encoded within the validated OAuth token.

An attacker can therefore:

Obtain a valid OAuth token for their own social account
Submit that token alongside a different user's email (e.g., the site admin's email)
The plugin validates the OAuth token as legitimate, then authenticates the request as the email-specified user — without any cross-check

This is a classic OAuth token/email mismatch vulnerability.

Attack Flow

1. Attacker creates a social account (e.g., Google) and obtains a valid OAuth token
2. Attacker enumerates or guesses admin/user email address on target WordPress site
3. Attacker sends crafted social login POST request:
   - oauth_token: [attacker's valid token]
   - email: [victim's email, e.g., admin@targetsite.com]
4. Plugin validates OAuth token signature — token is valid (it's the attacker's own)
5. Plugin retrieves WordPress user by the supplied email — returns admin account
6. Plugin creates authenticated session for admin — no password required
7. Attacker is logged in as site administrator with full WordPress control

Exploitation Conditions

Tutor LMS Pro version 3.9.5 or earlier must be installed and active
The Social Login addon must be enabled (default in most Tutor LMS Pro installations)
The attacker needs a valid OAuth token from any supported provider (trivial to obtain)
The attacker needs a valid email address registered on the site (can be guessed, found in leaks, or via WP user enumeration)

Impact Assessment

Impact Area	Description
Full Account Takeover	Attacker can log in as any user, including administrators
Site Defacement	Admin access enables theme, plugin, and content modification
Data Exfiltration	Access to student PII, course data, payment records, and user profiles
Malware Installation	Admin can install malicious plugins or modify PHP files
Credential Harvesting	Access to stored payment methods, OAuth tokens, email addresses
Persistent Backdoor	Attacker can create new admin accounts for persistent access
Hosting Pivot	Shared-hosting compromise can expand to other hosted sites

Immediate Remediation

Step 1: Update Tutor LMS Pro to 3.9.6

# Via WP-CLI
wp plugin update tutor-pro
 
# Verify installed version
wp plugin get tutor-pro --field=version
# Expected: 3.9.6 or higher

Or update through the WordPress admin panel: Plugins > Installed Plugins > Tutor LMS Pro > Update Now.

Navigate to WordPress Admin > Tutor LMS > Settings > Addons
Locate Social Login
Toggle OFF and save settings

Alternatively, deactivate the entire Tutor LMS Pro plugin if the site does not depend on it critically.

Step 3: Audit for Compromise

# Check for recently created admin accounts
wp user list --role=administrator --fields=user_login,user_email,user_registered
 
# Review recent login events (if audit log plugin is active)
wp db query "SELECT user_login, user_email, user_registered FROM wp_users WHERE user_registered > DATE_SUB(NOW(), INTERVAL 7 DAY);"
 
# Search for recently modified PHP files (potential backdoors)
find /path/to/wordpress/ -name "*.php" -newer /path/to/wordpress/wp-includes/version.php -not -path "*/cache/*" -type f
 
# Check active plugins for unauthorized additions
wp plugin list --status=active

Step 4: Harden WordPress Authentication

# Force password reset for all administrator accounts
wp user list --role=administrator --format=ids | xargs -I {} wp user update {} --user_pass="$(openssl rand -base64 24)"
 
# Regenerate WordPress secret keys
wp config shuffle-salts
 
# Invalidate all existing sessions
wp db query "DELETE FROM wp_usermeta WHERE meta_key = 'session_tokens';"

Detection Indicators

Indicator	Description
New admin accounts created recently	Attacker-created persistence accounts
Social login requests with mismatched email/token	Exploitation attempt in access logs
Unexpected file modifications in wp-content/	Post-exploitation backdoor installation
Admin login events from unfamiliar IPs	Account takeover in use
New plugins or theme edits from unfamiliar sessions	Active post-compromise activity

Post-Remediation Checklist

Update Tutor LMS Pro to version 3.9.6 or later
Disable Social Login addon until patched if update is delayed
Audit all administrator accounts — remove any unauthorized entries
Reset all admin passwords and regenerate WordPress secret keys
Invalidate all active sessions to force re-authentication
Scan for webshells and backdoors in wp-content/ directory
Review access logs for evidence of prior exploitation
Enable two-factor authentication on all administrator accounts
Deploy a WAF (Wordfence, Sucuri, Cloudflare) with WordPress rule sets
Monitor for re-exploitation until patch is confirmed applied

References

Executive Summary

Organizations running Tutor LMS Pro version 3.9.5 or earlier with the Social Login feature enabled should update to version 3.9.6 immediately or disable the Social Login addon until patched.

Vulnerability Overview

Attribute	Value
CVE ID	CVE-2026-0953
CVSS Score	9.8 (Critical)
CWE	CWE-287 — Improper Authentication
Type	Authentication Bypass / Account Takeover
Attack Vector	Network
Privileges Required	None (unauthenticated)
User Interaction	None
Scope	Changed
Confidentiality Impact	High
Integrity Impact	High
Availability Impact	High
Patch Available	Yes — version 3.9.6+

Affected Versions

Plugin	Affected Versions	Fixed Version
Tutor LMS Pro	<= 3.9.5 (all, with Social Login enabled)	3.9.6

Technical Analysis

Root Cause

The critical flaw: the plugin does not verify that the email in the login request matches the email encoded within the validated OAuth token.

An attacker can therefore:

Obtain a valid OAuth token for their own social account
Submit that token alongside a different user's email (e.g., the site admin's email)
The plugin validates the OAuth token as legitimate, then authenticates the request as the email-specified user — without any cross-check

This is a classic OAuth token/email mismatch vulnerability.

Attack Flow

1. Attacker creates a social account (e.g., Google) and obtains a valid OAuth token
2. Attacker enumerates or guesses admin/user email address on target WordPress site
3. Attacker sends crafted social login POST request:
   - oauth_token: [attacker's valid token]
   - email: [victim's email, e.g., admin@targetsite.com]
4. Plugin validates OAuth token signature — token is valid (it's the attacker's own)
5. Plugin retrieves WordPress user by the supplied email — returns admin account
6. Plugin creates authenticated session for admin — no password required
7. Attacker is logged in as site administrator with full WordPress control

Exploitation Conditions

Tutor LMS Pro version 3.9.5 or earlier must be installed and active
The Social Login addon must be enabled (default in most Tutor LMS Pro installations)
The attacker needs a valid OAuth token from any supported provider (trivial to obtain)
The attacker needs a valid email address registered on the site (can be guessed, found in leaks, or via WP user enumeration)

Impact Assessment

Impact Area	Description
Full Account Takeover	Attacker can log in as any user, including administrators
Site Defacement	Admin access enables theme, plugin, and content modification
Data Exfiltration	Access to student PII, course data, payment records, and user profiles
Malware Installation	Admin can install malicious plugins or modify PHP files
Credential Harvesting	Access to stored payment methods, OAuth tokens, email addresses
Persistent Backdoor	Attacker can create new admin accounts for persistent access
Hosting Pivot	Shared-hosting compromise can expand to other hosted sites

Immediate Remediation

Step 1: Update Tutor LMS Pro to 3.9.6

# Via WP-CLI
wp plugin update tutor-pro
 
# Verify installed version
wp plugin get tutor-pro --field=version
# Expected: 3.9.6 or higher

Or update through the WordPress admin panel: Plugins > Installed Plugins > Tutor LMS Pro > Update Now.

Navigate to WordPress Admin > Tutor LMS > Settings > Addons
Locate Social Login
Toggle OFF and save settings

Alternatively, deactivate the entire Tutor LMS Pro plugin if the site does not depend on it critically.

Step 3: Audit for Compromise

# Check for recently created admin accounts
wp user list --role=administrator --fields=user_login,user_email,user_registered
 
# Review recent login events (if audit log plugin is active)
wp db query "SELECT user_login, user_email, user_registered FROM wp_users WHERE user_registered > DATE_SUB(NOW(), INTERVAL 7 DAY);"
 
# Search for recently modified PHP files (potential backdoors)
find /path/to/wordpress/ -name "*.php" -newer /path/to/wordpress/wp-includes/version.php -not -path "*/cache/*" -type f
 
# Check active plugins for unauthorized additions
wp plugin list --status=active

Step 4: Harden WordPress Authentication

# Force password reset for all administrator accounts
wp user list --role=administrator --format=ids | xargs -I {} wp user update {} --user_pass="$(openssl rand -base64 24)"
 
# Regenerate WordPress secret keys
wp config shuffle-salts
 
# Invalidate all existing sessions
wp db query "DELETE FROM wp_usermeta WHERE meta_key = 'session_tokens';"

Detection Indicators

Indicator	Description
New admin accounts created recently	Attacker-created persistence accounts
Social login requests with mismatched email/token	Exploitation attempt in access logs
Unexpected file modifications in wp-content/	Post-exploitation backdoor installation
Admin login events from unfamiliar IPs	Account takeover in use
New plugins or theme edits from unfamiliar sessions	Active post-compromise activity

Post-Remediation Checklist

Update Tutor LMS Pro to version 3.9.6 or later
Disable Social Login addon until patched if update is delayed
Audit all administrator accounts — remove any unauthorized entries
Reset all admin passwords and regenerate WordPress secret keys
Invalidate all active sessions to force re-authentication
Scan for webshells and backdoors in wp-content/ directory
Review access logs for evidence of prior exploitation
Enable two-factor authentication on all administrator accounts
Deploy a WAF (Wordfence, Sucuri, Cloudflare) with WordPress rule sets
Monitor for re-exploitation until patch is confirmed applied

Critical Auth Bypass in Tutor LMS Pro Exposes 30,000+

Affected Products

Executive Summary

Vulnerability Overview

Affected Versions

Technical Analysis

Root Cause

Attack Flow

Exploitation Conditions

Impact Assessment

Immediate Remediation

Step 1: Update Tutor LMS Pro to 3.9.6

Step 3: Audit for Compromise

Step 4: Harden WordPress Authentication

Detection Indicators

Post-Remediation Checklist

References

CVE-2026-3629: WordPress User Import Plugin Privilege Escalation

CVE-2026-25449: Critical Object Injection in Shinetheme Traveler WordPress Plugin

CVE-2026-3564: ConnectWise ScreenConnect Auth Bypass via Server Cryptographic Material

Critical Auth Bypass in Tutor LMS Pro Exposes 30,000+

Affected Products

Executive Summary

Vulnerability Overview

Affected Versions

Technical Analysis

Root Cause

Attack Flow

Exploitation Conditions

Impact Assessment

Immediate Remediation

Step 1: Update Tutor LMS Pro to 3.9.6

Step 3: Audit for Compromise

Step 4: Harden WordPress Authentication

Detection Indicators

Post-Remediation Checklist

References

CVE-2026-3629: WordPress User Import Plugin Privilege Escalation

CVE-2026-25449: Critical Object Injection in Shinetheme Traveler WordPress Plugin

CVE-2026-3564: ConnectWise ScreenConnect Auth Bypass via Server Cryptographic Material

Affected Products

Executive Summary

Vulnerability Overview

Affected Versions

Technical Analysis

Root Cause

Attack Flow

Exploitation Conditions

Impact Assessment

Immediate Remediation

Step 1: Update Tutor LMS Pro to 3.9.6

Step 2: Disable Social Login if Update Is Not Immediately Possible

Step 3: Audit for Compromise

Step 4: Harden WordPress Authentication

Detection Indicators

Post-Remediation Checklist

References

Affected Products

Executive Summary

Vulnerability Overview

Affected Versions

Technical Analysis

Root Cause

Attack Flow

Exploitation Conditions

Impact Assessment

Immediate Remediation

Step 1: Update Tutor LMS Pro to 3.9.6

Step 2: Disable Social Login if Update Is Not Immediately Possible

Step 3: Audit for Compromise

Step 4: Harden WordPress Authentication

Detection Indicators

Post-Remediation Checklist

References