CVE-2026-12597

WordPress · LoginPress Pro

The LoginPress Pro plugin for WordPress is vulnerable to an authentication bypass via the GitHub OAuth callback mechanism.

Executive summary

An authentication bypass vulnerability in the LoginPress Pro plugin for WordPress allows unauthenticated attackers to gain unauthorized access via the GitHub OAuth callback.

Vulnerability

The plugin contains a flaw in the GitHub OAuth callback implementation that permits an unauthenticated attacker to bypass authentication protocols. By manipulating the callback response, an attacker can authenticate as an arbitrary user without legitimate credentials.

Business impact

With a CVSS score of 8.1, this vulnerability presents a significant risk of unauthorized access to the WordPress environment. Successful exploitation could lead to full administrative account takeover, modification of site content, and potential compromise of sensitive user information, directly impacting business continuity and data security.

Remediation

Immediate Action: Update the LoginPress Pro plugin to the latest version immediately to mitigate the authentication flaw.

Proactive Monitoring: Review application logs for anomalous OAuth callback activity or unexpected successful logins from unauthorized GitHub accounts.

Compensating Controls: Use a WAF to monitor and filter traffic directed at OAuth callback endpoints to prevent the exploitation of insecure callback logic.

Exploitation status

Public Exploit Available: false

Analyst recommendation

It is critical that security teams apply the latest security patch for LoginPress Pro to remediate this authentication vulnerability. Given the ease of potential exploitation, immediate action is required to maintain the security and integrity of the WordPress site.