themeum: Tutor LMS Pro (themeum): Authentication Bypass via Social Login Addon
CWE-287
Improper Authentication
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Per NVD: “The Tutor LMS Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 3.9.5 via the Social Login addon. This is due to the plugin failing to verify that the email provided in the authentication request matches the email from the validated OAuth token. This makes it possible for unauthenticated attackers to log in as any existing user, including administrators.”
Affected Packages / Versions
- Package:
tutor-lms-pro(WordPress) - Latest published version at triage time:
3.9.5 - Affected range:
Tutor LMS Pro <= 3.9.5 (per NVD) - Patched version:
Tutor LMS Pro 3.9.6, released January 28, 2026 (per tutorlms.com release notes)
Impact
Per NVD: full CIA on the targeted user, with administrators explicitly listed as a viable target. The 3.9.6 release notes (tutorlms.com/releases/id/393) confirm: “Improved user email verification by validating the token during Google login.”
Severity Rationale
NVD CVSS 9.8 (Critical): network AV, low complexity, no privileges, no UI, full CIA.
Fix
Per Tutor LMS release notes: upgrade to Tutor LMS Pro 3.9.6, released January 28, 2026. The release also includes “Enhanced the security of email verification link generation” and “Added a capability check to the coupon details AJAX request.”
Disclosure timeline
- TBDReported to vendor
- Jan 28, 2026Patch released (Tutor LMS Pro 3.9.6 per release notes)
- Mar 10, 2026Public disclosure (per Praetorian cve-research listing)
Fix Commit(s)
References
Discovered by Siddhant Kalgutkar · Published April 29, 2026