CVE-2025-7444
BaseFortify
Publication date: 2025-07-18
Last updated on: 2025-07-22
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| loginpress | loginpress | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-288 | The product requires authentication, but the product has an alternate path or channel that does not require authentication. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-7444 is a critical authentication bypass vulnerability in the LoginPress Pro WordPress plugin (up to version 5.0.1). It occurs because the plugin does not sufficiently verify the user returned by the social login token, allowing unauthenticated attackers to log in as any existing user on the site, including administrators, if they have access to the user's email and the user does not already have an account for the service returning the token. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to bypass authentication and gain unauthorized access to any user account on the affected WordPress site, including administrator accounts. This can lead to full site compromise, data theft, unauthorized changes, and potentially complete control over the website. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the LoginPress Pro plugin to version 5.0.2 or later, as this update contains the critical security fix for the authentication bypass issue described in CVE-2025-7444. [1]