CVE-2026-25406
Authentication Bypass in Tutor LMS Pro
Publication date: 2026-03-25
Last updated on: 2026-04-28
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| themeum | tutor_lms_pro | to 3.9.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-288 | The product requires authentication, but the product has an alternate path or channel that does not require authentication. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Authentication Bypass Using an Alternate Path or Channel in Themeum Tutor LMS Pro. It allows attackers to bypass the normal authentication process, potentially gaining unauthorized access to the system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to gain administrative access to affected websites by bypassing authentication controls. This type of broken authentication flaw can lead to unauthorized access to sensitive data and systems.
Such unauthorized access can result in violations of common standards and regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information to protect user privacy and data security.
Therefore, exploitation of this vulnerability could compromise compliance with these regulations by exposing protected data or allowing unauthorized actions within the affected systems.
What immediate steps should I take to mitigate this vulnerability?
This vulnerability allows unauthenticated attackers to perform actions normally restricted to higher privileged users, potentially gaining administrative access.
No official patch is currently available for this vulnerability.
Patchstack has issued a mitigation rule that can block attacks exploiting this flaw until an official patch is released.
Users are strongly advised to update the Tutor LMS Pro plugin immediately when a patch becomes available.
Alternatively, seek assistance from your hosting provider or web developer to apply mitigation measures and reduce risk.
How can this vulnerability impact me? :
The impact of this vulnerability is that an attacker could abuse the authentication mechanism to gain unauthorized access to the Tutor LMS Pro system. This could lead to unauthorized actions or access to sensitive information within the affected application.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There is no specific detection method or commands provided in the available resources for identifying this vulnerability on your network or system.
However, since the vulnerability affects the WordPress Tutor LMS Pro plugin versions up to 3.9.4 and allows authentication bypass, monitoring for unusual authentication attempts or unauthorized administrative actions on affected websites could be helpful.
Patchstack has issued a mitigation rule to block attacks exploiting this flaw until an official patch is released, so applying such mitigation or consulting your hosting provider or web developer is recommended.