A critical authentication bypass in the Tutor LMS Pro WordPress plugin enables unauthenticated attackers to seize full administrative control of affected websites.

The vulnerability exists in the Social Login addon due to a failure to verify that the email provided in an authentication request matches the email from the validated OAuth token. This allows an unauthenticated attacker to provide their own valid OAuth token while specifying a victim's email address to hijack their session.

The ability for an attacker to log in as an administrator results in a total compromise of the WordPress site. This can lead to the theft of student and instructor data, modification of course content, and the installation of malicious scripts or backdoors. The CVSS score of 9.8 underscores the extreme risk to data privacy and site integrity.

Immediate Action: Update the Tutor LMS Pro plugin to the latest version (3.9.6 or higher) immediately to patch the authentication logic.

Proactive Monitoring: Audit WordPress user accounts for any unauthorized administrator profiles or suspicious activity in the Tutor LMS logs.

Compensating Controls: Disable the Social Login addon temporarily if an immediate update is not possible to mitigate the specific attack vector.

Public Exploit Available: No

Because this flaw allows for unauthenticated administrative access with minimal effort, it must be remediated with the highest urgency. Site administrators should prioritize updating the Tutor LMS Pro plugin immediately. Following the update, a thorough security audit of the WordPress installation is recommended to ensure no unauthorized changes were made.