CVE-2026-25406
Received Received - Intake
Authentication Bypass in Tutor LMS Pro

Publication date: 2026-03-25

Last updated on: 2026-04-28

Assigner: Patchstack

Description
Authentication Bypass Using an Alternate Path or Channel vulnerability in Themeum Tutor LMS Pro tutor-pro allows Authentication Abuse.This issue affects Tutor LMS Pro: from n/a through <= 3.9.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-04-28
Generated
2026-06-16
AI Q&A
2026-03-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25406
EUVD
EUVD-2026-15717
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
themeum tutor_lms_pro to 3.9.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-288 The product requires authentication, but the product has an alternate path or channel that does not require authentication.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an Authentication Bypass Using an Alternate Path or Channel in Themeum Tutor LMS Pro. It allows attackers to bypass the normal authentication process, potentially gaining unauthorized access to the system.

Impact Analysis

The impact of this vulnerability is that an attacker could abuse the authentication mechanism to gain unauthorized access to the Tutor LMS Pro system. This could lead to unauthorized actions or access to sensitive information within the affected application.

Detection Guidance

There is no specific detection method or commands provided in the available resources for identifying this vulnerability on your network or system.

However, since the vulnerability affects the WordPress Tutor LMS Pro plugin versions up to 3.9.4 and allows authentication bypass, monitoring for unusual authentication attempts or unauthorized administrative actions on affected websites could be helpful.

Patchstack has issued a mitigation rule to block attacks exploiting this flaw until an official patch is released, so applying such mitigation or consulting your hosting provider or web developer is recommended.

Compliance Impact

The vulnerability allows unauthenticated attackers to gain administrative access to affected websites by bypassing authentication controls. This type of broken authentication flaw can lead to unauthorized access to sensitive data and systems.

Such unauthorized access can result in violations of common standards and regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information to protect user privacy and data security.

Therefore, exploitation of this vulnerability could compromise compliance with these regulations by exposing protected data or allowing unauthorized actions within the affected systems.

Mitigation Strategies

This vulnerability allows unauthenticated attackers to perform actions normally restricted to higher privileged users, potentially gaining administrative access.

No official patch is currently available for this vulnerability.

Patchstack has issued a mitigation rule that can block attacks exploiting this flaw until an official patch is released.

Users are strongly advised to update the Tutor LMS Pro plugin immediately when a patch becomes available.

Alternatively, seek assistance from your hosting provider or web developer to apply mitigation measures and reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25406. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart