CVE-2026-12595
WordPress · LoginPress Pro
The LoginPress Pro plugin for WordPress is susceptible to an authentication bypass vulnerability due to unverified OAuth email handling.
Executive summary
An authentication bypass vulnerability in the LoginPress Pro plugin for WordPress allows unauthenticated attackers to potentially gain unauthorized access to user accounts.
Vulnerability
The plugin fails to properly verify the email address returned during the OAuth authentication flow, allowing an unauthenticated attacker to manipulate the process and bypass standard login requirements. This flaw effectively grants unauthorized access to the application by spoofing legitimate user identities.
Business impact
This vulnerability carries a CVSS score of 8.1, posing a high risk of unauthorized account access, data exfiltration, and administrative takeover of the WordPress instance. Such a compromise could lead to severe reputational damage, loss of data privacy, and significant operational disruption if administrative accounts are targeted.
Remediation
Immediate Action: Update the LoginPress Pro plugin to the latest available version provided by the vendor.
Proactive Monitoring: Audit user authentication logs for suspicious login patterns or unauthorized access attempts using OAuth providers.
Compensating Controls: Implement a Web Application Firewall (WAF) with rules configured to block suspicious or malformed OAuth callback requests.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Administrators must verify their current plugin version and apply available updates immediately. If an update is not yet available, consider disabling the OAuth functionality within LoginPress Pro until a patch is verified and installed.