CVE-2026-12595

WordPress · LoginPress Pro

The LoginPress Pro plugin for WordPress is susceptible to an authentication bypass vulnerability due to unverified OAuth email handling.

Executive summary

An authentication bypass vulnerability in the LoginPress Pro plugin for WordPress allows unauthenticated attackers to potentially gain unauthorized access to user accounts.

Vulnerability

The plugin fails to properly verify the email address returned during the OAuth authentication flow, allowing an unauthenticated attacker to manipulate the process and bypass standard login requirements. This flaw effectively grants unauthorized access to the application by spoofing legitimate user identities.

Business impact

This vulnerability carries a CVSS score of 8.1, posing a high risk of unauthorized account access, data exfiltration, and administrative takeover of the WordPress instance. Such a compromise could lead to severe reputational damage, loss of data privacy, and significant operational disruption if administrative accounts are targeted.

Remediation

Immediate Action: Update the LoginPress Pro plugin to the latest available version provided by the vendor.

Proactive Monitoring: Audit user authentication logs for suspicious login patterns or unauthorized access attempts using OAuth providers.

Compensating Controls: Implement a Web Application Firewall (WAF) with rules configured to block suspicious or malformed OAuth callback requests.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Administrators must verify their current plugin version and apply available updates immediately. If an update is not yet available, consider disabling the OAuth functionality within LoginPress Pro until a patch is verified and installed.