{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25406", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:19.001Z", "datePublished": "2026-03-25T16:14:48.521Z", "dateUpdated": "2026-03-25T16:14:48.521Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "tutor-pro", "product": "Tutor LMS Pro", "vendor": "Themeum", "versions": [{"lessThanOrEqual": "<= 3.9.4", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:27.655Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Themeum Tutor LMS Pro tutor-pro allows Authentication Abuse.<p>This issue affects Tutor LMS Pro: from n/a through <= 3.9.4.</p>"}], "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Themeum Tutor LMS Pro tutor-pro allows Authentication Abuse.This issue affects Tutor LMS Pro: from n/a through <= 3.9.4."}], "impacts": [{"capecId": "CAPEC-114", "descriptions": [{"lang": "en", "value": "Authentication Abuse"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-288", "description": "Authentication Bypass Using an Alternate Path or Channel", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:48.521Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/tutor-pro/vulnerability/wordpress-tutor-lms-pro-plugin-3-9-4-broken-authentication-vulnerability?_s_id=cve"}], "title": "WordPress Tutor LMS Pro plugin <= 3.9.4 - Broken Authentication vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Themeum Tutor LMS Pro tutor-pro allows Authentication Abuse.This issue affects Tutor LMS Pro: from n/a through <= 3.9.4."}], "id": "CVE-2026-25406", "lastModified": "2026-03-25T17:16:49.890", "metrics": {}, "published": "2026-03-25T17:16:49.890", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/tutor-pro/vulnerability/wordpress-tutor-lms-pro-plugin-3-9-4-broken-authentication-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-288"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T17:54:32.341704+00:00", "value": {"mitigation_remediation": ["Apply the latest Tutor LMS Pro update (3.9.5 or newer) released by Themeum.", "If an update is not yet available, temporarily disable the Tutor LMS Pro plugin or restrict its access to trusted administrators.", "Verify that authentication is enforced by attempting to log in via the alternate path after patch or mitigation.", "Monitor server logs for suspicious authentication attempts."], "summary": {"action": "Patch Immediately", "impact": "Authentication Bypass"}, "threat_synthesis": {"affected_systems": "The issue affects the WordPress Tutor LMS Pro plugin from the earliest release through version 3.9.4, provided by Themeum. Any WordPress site running these versions of the plugin is susceptible.", "description_and_impact": "The vulnerability enables authentication bypass by exploiting an alternate path, allowing attackers to gain unauthorized access and perform privileged actions without valid credentials. This flaw follows CWE\u2011288: Broken Authentication and can compromise the confidentiality and integrity of the system.", "risk_and_exploitability": "The CVSS score is not provided, and there is no EPSS data, but the vulnerability is not currently listed in the CISA KEV catalog. Attackers would likely exploit the flaw via standard HTTP requests to the plugin\u2019s alternate authentication endpoints, as the description indicates an authentication abuse scenario. Because the flaw permits bypass without needing additional credentials, the risk to affected sites is high, especially if the plugin grants administrative privileges."}}}}, "created": "2026-03-25T21:44:34.672585+00:00", "updated": "2026-03-25T21:44:34.672616+00:00", "vendors": []}