Security databases published 420 new CVEs on March 11, 2026. Three scored critical (CVSS 9.3 or higher), led by an authentication bypass in a WordPress LMS plugin that affects an estimated 30,000 sites. Fortinet disclosed 11 flaws of its own on the same day.
CVE-2026-0953 (CVSS 9.8) tops the batch. It is an authentication bypass in the Tutor LMS Pro plugin for WordPress, sitting in the Social Login addon. The plugin fails to verify that the email address supplied during OAuth authentication matches the email tied to the validated OAuth token. An unauthenticated attacker can present a valid OAuth token from their own account, pair it with any victim's email address, and log in as that user, including as site administrator.
Wordfence discovered the flaw and reported it to developer Themeum on January 14, 2026. Themeum released version 3.9.6 with a fix on January 30, 2026. All versions up to and including 3.9.5 are vulnerable. Wordfence estimates 30,000 active installations. PT Security's dbugs platform puts the figure closer to 50,000.
The defect exposes more than 30,000 WordPress sites to potential full account takeover, including administrator accounts, if an attacker can acquire the target's email address.
— the Wordfence security team wrote in its disclosure
PT Security noted that CVE-2026-0953 "is being actively exploited in the wild." OffSeq Threat Radar listed no confirmed exploitation at the time of publication. The discrepancy has not been resolved.
A legacy CMS carries the second critical flaw. CVE-2026-28495 (CVSS 9.6) affects the massiveAdmin plugin (v6.0.3) bundled with GetSimpleCMS-CE v3.3.22. The plugin's gsconfig editor lets an authenticated admin overwrite gsconfig.php with arbitrary PHP code, but the form lacks CSRF protection (CWE-352). A malicious page visited by a logged-in admin can silently write attacker-controlled PHP into the CMS configuration, achieving remote code execution.
The third critical CVE comes from an unusual corner. CVE-2026-3843 (CVSS 9.3) is an unauthenticated SQL injection in the BUK TS-G gas station automation system version 2.9.1, built by Russian manufacturer Nefteprodukttekhnika. The flaw sits in /php/request.php and requires no credentials. An attacker can execute arbitrary SQL commands and escalate to full RCE on the underlying Linux host. Russia's FSTEC BDU confirmed the advisory under BDU:2025-13914.
Fuel management systems have drawn similar scrutiny before. ICS-CERT published an advisory on unauthenticated SQL injection in the Veeder-Root TLS-450PLUS in 2024. Security researchers documented that internet-facing petrol automation endpoints are typically scanned by threat actors within 24 to 48 hours of CVE publication.
Fortinet released 11 advisories on March 10, 2026. CVE-2026-22572 is an MFA bypass in the GUI of FortiAnalyzer and FortiManager versions 7.6.0 through 7.6.3, plus their Cloud variants. An attacker who already knows an admin's password can bypass multi-factor authentication by submitting multiple crafted requests. The batch includes CVE-2026-22627, a high-severity buffer overflow in FortiSwitchAXFixed.
Microsoft's March Patch Tuesday landed the same day with 83 CVEs. Both the Microsoft and Fortinet advisories are covered in separate articles.
WordPress administrators running Tutor LMS Pro should update to version 3.9.6 immediately. GetSimple CMS operators using massiveAdmin should audit gsconfig.php for unexpected modifications and disable the gsconfig editor until a patched release ships. BUK TS-G 2.9.1 operators should isolate the web management interface and block access to /php/request.php at the firewall level. FortiAnalyzer and FortiManager administrators should apply Fortinet's March 10 patches and audit MFA configurations.
Have a story? Become a contributor.
We work with independent researchers and cybersecurity professionals. Send us a tip or submit your article for editorial review.
