Critical Tutor LMS Pro Vulnerability Exposed Over 30,000 WordPress Sites

Deepanker Verma March 10, 2026 Security

Add Techlomedia as a preferred source on Google.

A critical security vulnerability has been discovered in the Tutor LMS Pro WordPress plugin that could allow attackers to take control of user accounts, including administrator accounts. The issue affects more than 30,000 WordPress sites that use the plugin.

The vulnerability was discovered by security researcher Phat RiO and reported through the Wordfence Bug Bounty Program. According to the report, the flaw allows an unauthenticated attacker to log in as any user on a website if they know the email address associated with that account.

Wordfence assigned the vulnerability a CVSS score of 9.8, which places it in the critical category. The issue has been tracked as CVE-2026-0953.

The problem exists in the Social Login feature of the Tutor LMS Pro plugin. This feature allows users to log in using services like Google or Facebook. However, the plugin failed to properly verify the email address during the authentication process. While the plugin verified the OAuth token from the social login provider, it relied on the email address provided by the user instead of verifying it with the provider response.

This means an attacker could log in using a valid OAuth token from their own account and simply provide the email address of another user on the site. If the email exists in the system, the plugin would log the attacker into that account.

In simple terms, attackers could gain access to any user account on a vulnerable website, including administrator accounts. Once an attacker gains admin access, they can completely compromise the site. They could modify content, upload malware, or create new admin users.

The plugin developer Themeum quickly responded after receiving the report. Wordfence shared the vulnerability details with the company on January 14, 2026. Themeum released a patched version of the plugin on January 30, 2026. The issue has been fixed in Tutor LMS Pro version 3.9.6.

The patch adds an additional verification step. The plugin now checks whether the email address provided during login matches the email returned by the OAuth provider. This prevents attackers from using a different email address during authentication.

WordPress site owners who use Tutor LMS Pro should update the plugin immediately. Any version up to 3.9.5 is vulnerable, while version 3.9.6 includes the security fix.

Follow Techlomedia on Google News to stay updated.

Affiliate Disclosure:

This article may contain affiliate links. We may earn a commission on purchases made through these links at no extra cost to you.

About the Author: Deepanker Verma

Deepanker Verma is the Founder and Editor-in-Chief of TechloMedia. He holds Engineering degree in Computer Science and has over 15 years of experience in the technology sector. Deepanker bridges the gap between complex engineering and consumer electronics. He is also a a known Security Researcher acknowledged by global giants including Apple, Microsoft, and eBay. He uses his technical background to rigorously test gadgets, focusing on performance, security, and long-term value.