CVE-2026-0953

Name of the Vulnerable Software and Affected Versions Tutor LMS Pro plugin for WordPress versions through 3.9.5

Description The Tutor LMS Pro plugin for WordPress is susceptible to authentication bypass through the Social Login addon. The plugin does not properly validate that the email address provided during authentication matches the email address associated with the validated OAuth token. This allows attackers to log in as any user, including administrators, by using a valid OAuth token from their own account and the email address of a target user. It is reported that this issue is being actively exploited in the wild. Approximately 50,000 WordPress LMS installations are potentially affected. The attack involves using a valid OAuth token along with a victim's email address to gain unauthorized access.

Recommendations Update to version 3.9.6 or later.