CVE-2026-12597
WordPress · LoginPress Pro
The LoginPress Pro plugin for WordPress is vulnerable to an authentication bypass via the GitHub OAuth callback mechanism.
Executive summary
An authentication bypass vulnerability in the LoginPress Pro plugin for WordPress allows unauthenticated attackers to gain unauthorized access via the GitHub OAuth callback.
Vulnerability
The plugin contains a flaw in the GitHub OAuth callback implementation that permits an unauthenticated attacker to bypass authentication protocols. By manipulating the callback response, an attacker can authenticate as an arbitrary user without legitimate credentials.
Business impact
With a CVSS score of 8.1, this vulnerability presents a significant risk of unauthorized access to the WordPress environment. Successful exploitation could lead to full administrative account takeover, modification of site content, and potential compromise of sensitive user information, directly impacting business continuity and data security.
Remediation
Immediate Action: Update the LoginPress Pro plugin to the latest version immediately to mitigate the authentication flaw.
Proactive Monitoring: Review application logs for anomalous OAuth callback activity or unexpected successful logins from unauthorized GitHub accounts.
Compensating Controls: Use a WAF to monitor and filter traffic directed at OAuth callback endpoints to prevent the exploitation of insecure callback logic.
Exploitation status
Public Exploit Available: false
Analyst recommendation
It is critical that security teams apply the latest security patch for LoginPress Pro to remediate this authentication vulnerability. Given the ease of potential exploitation, immediate action is required to maintain the security and integrity of the WordPress site.