Some links on this page are affiliate links. We may earn a commission when you click through and make a purchase, at no additional cost to you.
An authentication bypass vulnerability in the Tutor LMS Pro WordPress plugin has put over 30,000 websites at risk, underscoring a critical security lapse. The flaw allows unauthenticated attackers to gain access to any account, including administrative accounts, by exploiting the Social Login feature if they know the associated email address.
The vulnerability, identified as CVE-2026-0953, was discovered by Phat RiO of BlueRock and reported through the Wordfence Bug Bounty Program. This exploit, present in versions up to 3.9.5, received a critical CVSS rating of 9.8. The issue stems from the plugin’s failure to verify that the email in the authentication request matches the email from the validated OAuth token, enabling attackers to log in using a valid OAuth token and the victim’s email.
Tutor LMS Pro Version 3.9.6 Patch
Wordfence promptly notified the plugin’s developers, Themeum, who released a security patch on January 30, 2026. Users are strongly advised to update to the patched version 3.9.6 immediately to protect their sites from potential exploits. Wordfence Premium, Care, and Response users received a firewall rule against this vulnerability on January 15, 2026, while free users were protected starting February 14, 2026.
The vulnerability was introduced just five days before being reported, highlighting the rapid response required in maintaining WordPress site security. Wordfence’s proactive measures and swift communication with Themeum reflect their commitment to enhancing security through collaborative efforts with researchers.
Implications for WordPress Site Operators
This vulnerability serves as a stark reminder for site operators to maintain up-to-date plugins and remain vigilant about security advisories. An unpatched site remains vulnerable to unauthorized access, potentially leading to data breaches, site defacements, or other malicious activities.
Wordfence’s Bug Bounty Program continues to incentivize high-quality vulnerability research, offering substantial rewards for discoveries. The recent Triple Threat Bug Bounty Challenge encourages the submission of high-threat vulnerabilities with enhanced rewards, promoting a more secure ecosystem.
What To Do
- Developers: Ensure your plugins verify email tokens accurately to prevent authentication bypasses.
- Site Operators: Update Tutor LMS Pro to version 3.9.6 immediately. Regularly review and update other plugins.
- Security Professionals: Monitor for any reports of unauthorized access attempts and audit site security settings.
