Cyber Resilience

CVE-2026-0953

Critical

Published: 10 March 2026

Published
10 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0066 46.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-0953 is a critical-severity Improper Authentication (CWE-287) vulnerability in Tutorlms (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-2 (Identification and Authentication (Organizational Users)) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-0953 is an authentication bypass vulnerability in the Tutor LMS Pro plugin for WordPress, affecting all versions up to and including 3.9.5 via the Social Login addon. The flaw occurs because the plugin does not verify that the email address provided in the authentication request matches the email from the validated OAuth token. Published on 2026-03-10, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-287 (Improper Authentication).

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no privileges required. By obtaining a valid OAuth token from their own account and pairing it with the email address of any existing user—including administrators—attackers can impersonate that user and log in to the WordPress site, potentially gaining full control over the affected instance.

Mitigation guidance is provided in the vendor release notes at https://tutorlms.com/releases/id/393/ and the Wordfence threat intelligence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/92a120ac-66ae-4678-a87a-e62da885d50b?source=cve, which detail patching instructions for Tutor LMS Pro versions beyond 3.9.5. Security practitioners should prioritize updating affected plugins and monitoring for unauthorized access on sites using the Social Login addon.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The Tutor LMS Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 3.9.5 via the Social Login addon. This is due to the plugin failing to verify that the email provided in the…

more

authentication request matches the email from the validated OAuth token. This makes it possible for unauthenticated attackers to log in as any existing user, including administrators, by supplying a valid OAuth token from their own account along with the victim's email address.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

Auth bypass in public-facing WordPress plugin directly enables remote exploitation (T1190) and impersonation of valid accounts (T1078).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-12919Shared CWE-287
CVE-2026-3655Shared CWE-287
CVE-2026-5722Shared CWE-287
CVE-2026-30949Shared CWE-287
CVE-2026-23906Shared CWE-287
CVE-2025-67822Shared CWE-287
CVE-2025-1475Shared CWE-287
CVE-2025-22146Shared CWE-287
CVE-2026-5229Shared CWE-287
CVE-2026-28514Shared CWE-287

Affected Assets

Tutorlms
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of the email address provided in the authentication request against the data from the validated OAuth token, preventing the mismatch exploitation.

prevent

Mandates comprehensive identification and authentication mechanisms that verify user identity, including proper handling and cross-verification of OAuth token attributes like email.

prevent

Requires timely identification, reporting, and correction of flaws such as the improper email verification in the Tutor LMS Pro plugin, via patching to fixed versions.

References