Critical WordPress Plugin Flaw Exposes 30,000 Sites to Account Takeovers

Critical WordPress Plugin Flaw Exposes 30,000 Sites to Account Takeovers

A critical security flaw has been discovered in the popular WordPress plugin Tutor LMS Pro. The vulnerability affects around 30,000 websites and allows attackers to bypass authentication. Without proper credentials, hackers could gain access to any user account—including administrator accounts.

The issue lies in the Social Login add-on of Tutor LMS Pro. All versions up to and including 3.9.5 contain a flaw in the authenticate() function of the TutorPro\SocialLogin\Authentication class. This function fails to check whether the email address provided matches the one verified by the OAuth token.

An attacker can exploit this by logging in with their own social media account and obtaining a valid OAuth token. They can then substitute a victim's email address, gaining full access to that account. The vulnerability poses a severe risk, as compromised administrator accounts could lead to further site takeovers. The developers released a patch on January 30, 2026, in version 3.9.6. Website administrators are strongly advised to update immediately. Additionally, they should review access logs for any unusual login attempts. To reduce exposure, administrator email addresses should also be kept private.

The fix is now available, but sites running older versions remain at risk. Updating to Tutor LMS Pro 3.9.6 or later closes the security gap. Without the patch, attackers could continue exploiting the flaw to hijack accounts.

Read also:

• Europe’s abandoned coal mines could power a solar energy revolution
• £6M Suthers Court project delivers 36 new homes to Oldham’s Werneth area
• Australia Proposes Hefty Fines for Companies Failing to Protect User Data
• Banned from Camp John Hay: Ex-mayor and allies face golf course dispute