Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
Tutor LMS Pro plugin: attackers can log in as any user
CVE-2026-0953
Summary
The Tutor LMS Pro plugin for WordPress has a security flaw that allows hackers to log in as any user, including administrators, without a password. This is because the plugin doesn't properly check the email address when a user tries to log in using their social media account. To fix this, update the plugin to version 3.9.6 or later, or remove the Social Login addon until a patch is available.
Original title
The Tutor LMS Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 3.9.5 via the Social Login addon. This is due to the plugin failing to verify tha...
Original description
The Tutor LMS Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 3.9.5 via the Social Login addon. This is due to the plugin failing to verify that the email provided in the authentication request matches the email from the validated OAuth token. This makes it possible for unauthenticated attackers to log in as any existing user, including administrators, by supplying a valid OAuth token from their own account along with the victim's email address.
nvd CVSS3.1
9.8
Vulnerability type
CWE-287
Improper Authentication
Published: 10 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026