On December 30th, 2025, we received a submission for an Authentication Bypass vulnerability in Tutor LMS Pro, a WordPress plugin estimated to have more than 30,000 active installations. The vulnerability makes it possible for an unauthenticated attacker to gain access to any account on a site including accounts used to administer the site, if the attacker knows, or can find, the associated email address.
Props to Phat RiO who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This vulnerability was reported to our program just five days after it was introduced. This researcher earned a bounty of $1,502.00 for this discovery. Our mission is to secure WordPress through defense in depth, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure through the detection and prevention of vulnerabilities, which is a critical element to our multi-layered approach to security.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on January 15, 2026. Sites using the free version of Wordfence received the same protection 30 days later on February 14, 2026.
We provided full disclosure details to the Themeum team instantly through our Wordfence Vulnerability Management Portal on January 14, 2026. The vendor acknowledged the report and released the patch on January 30, 2026. We would like to commend the Themeum team for their prompt response and timely patch.
We urge users to update their sites with the latest patched version of Tutor LMS Pro, version 3.9.6 at the time of this publication, as soon as possible.
🔥🔥🔥 Triple Threat Bug Bounty Challenge 🔥🔥🔥
Hunt High Threat vulnerabilities and earn triple the incentives!
Now through April 6, 2026, earn three stacked bonuses on all valid submissions from our ‘High Threat Vulnerabilities’ list:
- 💰 2x all high threat vulnerability bounties (excluding 5,000,000+ installs)
- 📈 +30% bonus for high threat vulnerabilities in software with 30,000+ active installs (excluding 5,000,000+ installs)
- 🎯 $300 extra for every 3 High Threat vulnerabilities submitted (minimum of 1,000 installs)
Use the Bounty Estimator to see what rewards are possible through the promotion.
Submit through our Bug Bounty Program today to maximize your impact and your payout.
Vulnerability Summary from Wordfence Intelligence
Technical Analysis
Examining the code reveals that the plugin uses the authenticate() function in the TutorProSocialLoginAuthentication class to handle authentication via social login.
public static function authenticate() {
$auth_success_msg = __( 'You are logging in!', 'tutor-pro' );
$auth_failed_msg = __( 'Something went wrong, please try again!', 'tutor-pro' );
tutor_utils()->checking_nonce();
// Sanitize user data.
$request = Input::sanitize_array(
wp_unslash( $_POST ),//phpcs:ignore
array(
'email' => 'sanitize_email',
'profile_url' => 'sanitize_url',
)
);
$providers = array( 'google', 'facebook' );
$auth_provider = $request['auth'] ?? '';
if ( ! in_array( $auth_provider, $providers, true ) ) {
wp_send_json_error( 'Invalid auth request' );
}
$token = $request['token'] ?? '';
// Check if the request is valid.
if ( 'google' === $auth_provider ) {
$verification = self::verify_google_token( $token );
if ( ! $verification ) {
wp_send_json_error( 'Invalid login request' );
}
$client_id = tutor_utils()->get_option( 'google_client_ID' );
if ( ! $client_id === $request['auth_id_token'] ) {
wp_send_json_error( 'Invalid Client ID', 'tutor-pro' );
}
}
if ( 'facebook' === $auth_provider ) {
$verification = self::verify_facebook_token( $token );
if ( ! $verification ) {
wp_send_json_error( 'Invalid login request' );
}
}
$email = $request['email'];
// Validate emails.
if ( empty( $email ) || ! filter_var( $email, FILTER_VALIDATE_EMAIL ) ) {
wp_send_json_error( __( 'Invalid email', 'tutor-pro' ) );
}
// User already exists.
if ( email_exists( $email ) ) {
$userdata = get_user_by( 'email', $email );
if ( is_a( $userdata, 'WP_User' ) ) {
// Logged-in the user.
$is_error = self::logged_in( $userdata );
Although the verify_google_token() or verify_facebook_token() functions perform authentication based on the access token, unfortunately the plugin does not get the user’s email address from the provider’s response, but from user input.
This makes it possible for threat actors to bypass authentication and gain access to arbitrary accounts on sites running a vulnerable version of the plugin by supplying a valid access token from their own account together with the victim’s email address.
As always, authentication bypass vulnerabilities, and resulting access to high privileged user accounts, make it easy for threat actors to completely compromise a vulnerable WordPress site and further infect the victim.
The Patch
The vendor patched this issue by adding the following email check to the authenticate() function:
// Validate emails.
if ( empty( $email ) || $verification->email !== $email || ! filter_var( $email, FILTER_VALIDATE_EMAIL ) ) {
wp_send_json_error( __( 'Invalid email', 'tutor-pro' ) );
}
Disclosure Timeline
December 30, 2025 – We received the submission for the Authentication Bypass vulnerability in Tutor LMS Pro via the Wordfence Bug Bounty Program.
January 14, 2026 – We validated the report and confirmed the proof-of-concept exploit.
January 14, 2026 – Full disclosure details were sent instantly to the vendor through our Wordfence Vulnerability Management Portal.
January 15, 2026 – Wordfence Premium, Care, and Response users received a firewall rule to provide added protection against any exploits that may target this vulnerability.
January 16, 2026 – The vendor acknowledged the report and began working on a fix.
January 30, 2026 – The fully patched version of the plugin, 3.9.6, was released.
February 14, 2026 – Wordfence Free users received the same protection.
Conclusion
In this blog post, we detailed an Authentication Bypass vulnerability within the Tutor LMS Pro plugin affecting versions 3.9.5 and earlier. This vulnerability allows unauthenticated threat actors to bypass authentication and gain access to any accounts. The vulnerability has been addressed in version 3.9.6 of the plugin.
We encourage WordPress users to verify that their sites are updated to the latest patched version of Tutor LMS Pro as soon as possible considering the critical nature of this vulnerability.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on January 15, 2026. Sites using the free version of Wordfence received the same protection 30 days later on February 14, 2026.
If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.
The post 30,000 WordPress Sites Affected by Authentication Bypass Vulnerability in Tutor LMS Pro WordPress Plugin appeared first on Wordfence.
