CVE-2026-0953 is an authentication bypass vulnerability classified under CWE-287, found in the Tutor LMS Pro plugin for WordPress, specifically in all versions up to and including 3.9.5. The issue lies in the Social Login addon, where the plugin fails to verify that the email address provided in the authentication request matches the email address associated with the validated OAuth token. OAuth tokens are used to authenticate users via third-party identity providers, and the plugin accepts a valid OAuth token from an attacker’s own account but pairs it with a victim’s email address without proper validation. This flaw allows an attacker to bypass authentication controls and impersonate any existing user, including administrators, without needing any prior credentials or user interaction. The vulnerability is remotely exploitable over the network (AV:N), requires no privileges (PR:N), and no user interaction (UI:N), making it highly accessible. The impact is severe, affecting confidentiality, integrity, and availability of the affected WordPress sites, potentially leading to full site compromise, data theft, and unauthorized administrative actions. Although no public exploits have been reported yet, the vulnerability’s critical CVSS score of 9.8 reflects its high risk. The vulnerability was reserved in January 2026 and published in March 2026, with no patches currently linked, indicating that users must monitor for updates or apply workarounds.

The impact of CVE-2026-0953 is significant for organizations using Tutor LMS Pro, especially educational institutions and enterprises relying on WordPress for learning management. Successful exploitation allows attackers to impersonate any user, including administrators, leading to unauthorized access to sensitive educational content, user data, and administrative functions. This can result in data breaches, manipulation or deletion of course materials, disruption of LMS services, and potential lateral movement within the hosting environment. The vulnerability compromises confidentiality by exposing user data, integrity by allowing unauthorized changes, and availability by potentially disrupting LMS operations. Given the critical nature and ease of exploitation, attackers could leverage this flaw to establish persistent footholds or launch further attacks against the organization’s infrastructure. The lack of required privileges or user interaction increases the likelihood of widespread exploitation if unpatched.

To mitigate CVE-2026-0953, organizations should immediately upgrade Tutor LMS Pro to a patched version once available from the vendor. Until a patch is released, administrators should disable the Social Login addon to prevent exploitation. Implementing additional access controls such as Web Application Firewalls (WAFs) with rules to detect and block anomalous OAuth token usage can reduce risk. Monitoring authentication logs for suspicious login attempts involving mismatched email and OAuth tokens is critical for early detection. Organizations should also enforce multi-factor authentication (MFA) on WordPress admin accounts to limit damage from compromised sessions. Reviewing and restricting OAuth client permissions and scopes can minimize exposure. Finally, conducting thorough security audits of all third-party plugins and limiting plugin usage to trusted, actively maintained components will reduce future risks.