CVE-2026-0953
Published: 10 March 2026
Summary
CVE-2026-0953 is a critical-severity Improper Authentication (CWE-287) vulnerability in Tutorlms (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-2 (Identification and Authentication (Organizational Users)) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of the email address provided in the authentication request against the data from the validated OAuth token, preventing the mismatch exploitation.
Mandates comprehensive identification and authentication mechanisms that verify user identity, including proper handling and cross-verification of OAuth token attributes like email.
Requires timely identification, reporting, and correction of flaws such as the improper email verification in the Tutor LMS Pro plugin, via patching to fixed versions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Auth bypass in public-facing WordPress plugin directly enables remote exploitation (T1190) and impersonation of valid accounts (T1078).
NVD Description
The Tutor LMS Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 3.9.5 via the Social Login addon. This is due to the plugin failing to verify that the email provided in the…
more
authentication request matches the email from the validated OAuth token. This makes it possible for unauthenticated attackers to log in as any existing user, including administrators, by supplying a valid OAuth token from their own account along with the victim's email address.
Deeper analysisAI
CVE-2026-0953 is an authentication bypass vulnerability in the Tutor LMS Pro plugin for WordPress, affecting all versions up to and including 3.9.5 via the Social Login addon. The flaw occurs because the plugin does not verify that the email address provided in the authentication request matches the email from the validated OAuth token. Published on 2026-03-10, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-287 (Improper Authentication).
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no privileges required. By obtaining a valid OAuth token from their own account and pairing it with the email address of any existing user—including administrators—attackers can impersonate that user and log in to the WordPress site, potentially gaining full control over the affected instance.
Mitigation guidance is provided in the vendor release notes at https://tutorlms.com/releases/id/393/ and the Wordfence threat intelligence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/92a120ac-66ae-4678-a87a-e62da885d50b?source=cve, which detail patching instructions for Tutor LMS Pro versions beyond 3.9.5. Security practitioners should prioritize updating affected plugins and monitoring for unauthorized access on sites using the Social Login addon.
Details
- CWE(s)