Cyber Resilience

CVE-2026-25406

High

Published: 25 March 2026

Published
25 March 2026
Modified
28 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0034 25.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-25406 is a high-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-25406 is an Authentication Bypass Using an Alternate Path or Channel vulnerability (CWE-288) in the Themeum Tutor LMS Pro WordPress plugin, specifically the tutor-pro component. This issue affects Tutor LMS Pro versions from n/a through 3.9.4 and was published on 2026-03-25. It has a CVSS v3.1 base score of 8.1 (High), reflecting significant risk due to its potential for authentication abuse.

The vulnerability can be exploited over the network (AV:N) by attackers requiring no privileges (PR:N) and no user interaction (UI:N), although it demands high attack complexity (AC:H) with unchanged scope (S:U). Successful exploitation enables high-impact consequences on confidentiality, integrity, and availability (C:H/I:H/A:H), allowing attackers to bypass authentication mechanisms and potentially gain unauthorized access to the plugin's functionalities.

Mitigation details are outlined in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/tutor-pro/vulnerability/wordpress-tutor-lms-pro-plugin-3-9-4-broken-authentication-vulnerability?_s_id=cve.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Authentication Bypass Using an Alternate Path or Channel vulnerability in Themeum Tutor LMS Pro tutor-pro allows Authentication Abuse.This issue affects Tutor LMS Pro: from n/a through <= 3.9.4.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Authentication bypass (CWE-288) in public-facing WordPress plugin directly enables remote exploitation of the application without credentials or interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-44574Shared CWE-288
CVE-2025-2747Shared CWE-288
CVE-2025-69101Shared CWE-288
CVE-2026-2628Shared CWE-288
CVE-2025-64121Shared CWE-288
CVE-2026-22733Shared CWE-288
CVE-2026-44575Shared CWE-288
CVE-2025-50904Shared CWE-288
CVE-2025-24846Shared CWE-288
CVE-2026-25002Shared CWE-288

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation directly mitigates CVE-2026-25406 by applying patches to the vulnerable Tutor LMS Pro plugin, preventing authentication bypass exploitation.

prevent

Access enforcement ensures logical access to plugin functionalities is restricted to authorized users, countering the alternate path authentication bypass.

prevent

Identification and authentication for organizational users provides robust mechanisms that reduce the risk of bypass via alternate channels in the plugin.

References