Home / Vulnerability Intelligence / CVE-2026-0953

CVE-2026-0953 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: March 11, 2026

Tutor LMS Pro - Authentication Bypass

Published: March 10, 2026Updated: March 11, 2026KEVRemote Exploitable

Overview

Tutor LMS Pro WordPress plugin <= 3.9.5 contains an authentication bypass caused by failure to verify email matches OAuth token in Social Login addon, letting unauthenticated attackers log in as any user including admins.

Severity & Score

Severity: Critical

CVSS Score: 9.8

EPSS Score: 4.0%(Probability of exploitation in next 30 days)

Impact

Unauthenticated attackers can log in as any user, including administrators, leading to full account takeover.

Mitigation

Update to the latest version beyond 3.9.5.

References

Social Media Activity(1 post)

Offensive Sequence

@offseq

Mar 10, 2026

🚨 CRITICAL: CVE-2026-0953 impacts all versions of themeum Tutor LMS Pro for WordPress. Flawed Social Login lets attackers bypass authentication using valid OAuth tokens + victim’s email. Admin accounts at risk. Patch or restrict access! https://radar.offseq.com/threat/cve-2026-0953-cwe-287-improper-authentication-in-t-965fa126 #OffSeq #WordPress #Infosec

View original post

Related Resources

Details

CVE ID: CVE-2026-0953
Severity: Critical
CVSS Score: 9.8
Type: broken_authentication
Status: unconfirmed
EPSS: 4.0%
Social Posts: 1

CWE

CWE-287

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

4.0%Probability of exploitation in the next 30 days