Under Active Attack: Critical 9.8 CVSS Tutor LMS Pro Flaw Exploited in the Wild for Full Site Takeover
Ddos 
A high-severity vulnerability has been uncovered in Tutor LMS Pro, a popular WordPress plugin used by over 30,000 active sites to manage online courses. The flaw, tracked as CVE-2026-0953, carries a CVSS score of 9.8, signaling a critical risk for site administrators. This authentication bypass allows an unauthenticated attacker to take over any account on a site—including administrative ones—provided they know the victim’s email address.
The vulnerability was discovered by researcher Phat RiO through the Wordfence Bug Bounty Program and was reported a mere five days after the bug was introduced to the codebase.
The technical root of the problem lies in the plugin’s social login feature, specifically within the authenticate() function of the TutorPro\SocialLogin\Authentication class. While the plugin correctly verifies tokens from providers like Google or Facebook, it makes a fatal error in how it identifies the user.
According to the Wordfence report: “Although the verify_google_token() or verify_facebook_token() functions perform authentication based on the access token, unfortunately the plugin does not get the user’s email address from the provider’s response, but from user input”.
Essentially, an attacker can provide a valid access token from their own social account but pair it with a victim’s email address. Because the plugin trusts the user-supplied email rather than the one verified by the social provider, it logs the attacker into the victim’s account.
The stakes for this vulnerability are incredibly high. “Authentication bypass vulnerabilities, and resulting access to high privileged user accounts, make it easy for threat actors to completely compromise a vulnerable WordPress site and further infect the victim”.
This is not a theoretical threat. Wordfence reported that they blocked 283 attacks targeting this specific vulnerability in just a 24-hour window.
The vendor has released a patch that correctly validates that the email address associated with the social provider’s token matches the email provided in the login request.
All users are urged to update to the latest patched version, version 3.9.6 or higher, as soon as possible.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
