CVE-2026-12598

LoginPress · LoginPress Pro

The LoginPress Pro plugin for WordPress contains an authentication bypass vulnerability that allows unauthenticated attackers to gain unauthorized access.

Executive summary

A critical authentication bypass vulnerability in the LoginPress Pro WordPress plugin exposes affected sites to unauthorized administrative access.

Vulnerability

This vulnerability is an improper authentication flaw (CWE-287) that permits unauthenticated remote attackers to bypass security controls. By exploiting this weakness, an attacker can authenticate as a legitimate user, potentially gaining full control over the WordPress instance.

Business impact

Successful exploitation of this flaw allows attackers to bypass login protections, leading to total compromise of the WordPress environment. This risk, justified by a CVSS score of 8.1, includes unauthorized data exfiltration, modification of site content, and potential malware injection, which could result in significant reputational damage and operational downtime.

Remediation

Immediate Action: Update the LoginPress Pro plugin to the latest available version immediately to resolve the authentication logic flaw.

Proactive Monitoring: Review authentication logs for unusual login patterns or successful logins from unrecognized IP addresses that bypass standard login workflows.

Compensating Controls: Implement a Web Application Firewall (WAF) with rules configured to block suspicious requests directed at authentication endpoints until the update is applied.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Given the severity of an authentication bypass, administrators must prioritize this update above standard maintenance. Applying the latest version is the only effective way to remediate this vulnerability and secure the administrative gateway of your WordPress site.