CVE-2026-12595
Received Received - Intake

Authentication Bypass in LoginPress Pro via OAuth

Vulnerability report for CVE-2026-12595, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: Wordfence

Description

The LoginPress Pro plugin for WordPress is vulnerable to Authentication Bypass via Unverified OAuth Email in all versions up to and including 6.2.3. The vulnerability exists in the loginpress_on_discord_login() Discord OAuth callback handler, which accepts the email field returned by Discord's /users/@me endpoint without ever checking that the profile's verified flag is true, then directly maps that email to a local WordPress account via get_user_by('email', $profile['email']) and issues an authenticated session cookie via wp_set_auth_cookie(). This makes it possible for unauthenticated attackers to take over any existing WordPress account β€” including administrator accounts β€” by registering a Discord account configured with an unverified email address that matches the target user's registered WordPress email and completing the standard Discord OAuth flow.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wpbeaverbuilder loginpress_pro to 6.2.3 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The LoginPress Pro plugin for WordPress has a vulnerability that allows attackers to bypass authentication. This happens because the plugin's Discord OAuth login handler accepts an email address from Discord without verifying if the email is confirmed. It then matches this unverified email to a WordPress user account and logs the attacker in as that user.

An attacker can create a Discord account with an unverified email that matches a WordPress user's email and complete the Discord OAuth login process to gain access to that user's WordPress account, including administrator accounts.

Impact Analysis

This vulnerability can allow unauthorized users to take over existing WordPress accounts on a site using the LoginPress Pro plugin, including high-privilege administrator accounts.

Such unauthorized access can lead to full site compromise, data theft, content manipulation, and disruption of website operations.

Compliance Impact

The vulnerability allows unauthenticated attackers to take over existing WordPress accounts, including administrator accounts, by exploiting an authentication bypass via unverified OAuth email. This unauthorized access could lead to exposure or manipulation of personal data stored in the affected WordPress site.

Such unauthorized access and potential data breaches may impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information. Failure to prevent unauthorized access could result in violations of these standards.

Mitigation Strategies

To mitigate this vulnerability, you should update the LoginPress Pro plugin to a version later than 6.2.3 where the authentication bypass via unverified OAuth email is fixed.

Additionally, consider disabling Discord OAuth login integration temporarily until a patched version is available or applied.

Review and monitor user accounts for suspicious activity, especially those linked to Discord OAuth logins.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12595. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart