tutor-lms-social-login-auth-bypass

Tutor LMS Pro Social Login flaw lets unauthenticated attackers sign in as admins, an information security time-bomb for WordPress sites

What happened

There’s a specific and nasty problem in the Tutor LMS Pro WordPress plugin, tied to the Social Login addon. The vulnerability (CVE-2026-0953) allows an unauthenticated actor to log in as any existing user, including administrators, by supplying a valid OAuth token from their own account together with the victim’s email address.

The advisory says all Tutor LMS Pro versions up to and including 3.9.5 are affected via the Social Login addon. The input does not state who discovered the issue, when it was publicly disclosed, or whether a fixed version is already available, so those details have not been confirmed.

Why this matters to businesses

If you run Tutor LMS Pro on a WordPress site, this is not theoretical. An attacker who can authenticate as an admin can install plugins, read private course content and user data, exfiltrate emails, create backdoor accounts or change billing details. That hits customers, partners and the procurement team when contracts get awkward.

Operationally, expect disruption: downtime while you clean and restore, legal time dealing with regulators if personal data is exposed, and replacement costs for compromised secrets. And yes, vendors and suppliers will ask pointed questions about patching windows and configuration controls.

Look, we all know the bad habit here: leave add-ons on and treat external authentication as an optional extra, then act surprised when someone abuses it.

If you’ve got the same weakness, here’s what happens next

First, attackers often don’t shout about access. They quietly create persistent admin users, drop web shells, and harvest credentials for downstream attacks. Since this is an authentication bypass, simply changing a password won’t necessarily block someone using OAuth tokens unless the tokens are revoked.

Next, compromised admin access can be weaponised for data theft, fraudulent course purchases, or to pivot into other connected systems like CRM or payment gateways. Recovery costs climb fast, because you need forensic checks, token rotation, plugin audits and possibly expensive restore work.

What to do on Monday morning

1. Check the plugin version of Tutor LMS Pro on every site, and confirm whether you have the Social Login addon installed. If you can’t confirm a fix is available, remove or disable the Social Login addon immediately.
2. Contact the plugin vendor and your hosting provider for an advisory and patch timeline, and apply vendor-supplied updates as a priority when they arrive.
3. Rotate OAuth client secrets and revoke active tokens for accounts that used social login, then force re-authorisation only via trusted flows.
4. Audit admin accounts created or modified recently, and remove any unexpected accounts. Preserve logs and snapshot the site before making wide changes so you can investigate later.
5. Enable multi-factor authentication for all administrator logins and restrict admin page access by IP or VPN where feasible.
6. Hunt for persistence: scan for unfamiliar plugins, scheduled tasks, modified themes and PHP files with recent timestamps, and check web server logs for suspicious OAuth flows.
7. If you detect compromise, invoke your incident response playbook: isolate the site, collect forensic artefacts, and notify affected users and regulators as required.

Where ISO standards fit, without the sales pitch

An ISO 27001 aligned approach would have helped here by enforcing change control for plugins, clearer supplier responsibilities for third-party addons, and formal access control rules for admin privileges. See practical guidance at Synergos on ISO 27001 for how to lock down those processes.

For smaller organisations, baseline security certification such as IASME maps to the kind of straightforward controls you need: patching cadence, asset inventory and simple access rules that would catch an exposed Social Login addon before it’s exploited.

In short, Tutor LMS Pro combined with an enabled Social Login addon is a vivid example of how a convenience feature becomes an attack vector. If you run it, treat it like a live incident until you can prove otherwise.