CVE-2026-12598
LoginPress · LoginPress Pro
The LoginPress Pro plugin for WordPress contains an authentication bypass vulnerability that allows unauthenticated attackers to gain unauthorized access.
Executive summary
A critical authentication bypass vulnerability in the LoginPress Pro WordPress plugin exposes affected sites to unauthorized administrative access.
Vulnerability
This vulnerability is an improper authentication flaw (CWE-287) that permits unauthenticated remote attackers to bypass security controls. By exploiting this weakness, an attacker can authenticate as a legitimate user, potentially gaining full control over the WordPress instance.
Business impact
Successful exploitation of this flaw allows attackers to bypass login protections, leading to total compromise of the WordPress environment. This risk, justified by a CVSS score of 8.1, includes unauthorized data exfiltration, modification of site content, and potential malware injection, which could result in significant reputational damage and operational downtime.
Remediation
Immediate Action: Update the LoginPress Pro plugin to the latest available version immediately to resolve the authentication logic flaw.
Proactive Monitoring: Review authentication logs for unusual login patterns or successful logins from unrecognized IP addresses that bypass standard login workflows.
Compensating Controls: Implement a Web Application Firewall (WAF) with rules configured to block suspicious requests directed at authentication endpoints until the update is applied.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Given the severity of an authentication bypass, administrators must prioritize this update above standard maintenance. Applying the latest version is the only effective way to remediate this vulnerability and secure the administrative gateway of your WordPress site.