CVE-2026-12597
Received Received - Intake

Authentication Bypass in LoginPress Pro WordPress Plugin

Vulnerability report for CVE-2026-12597, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: Wordfence

Description

The LoginPress Pro plugin for WordPress is vulnerable to Authentication Bypass via the GitHub OAuth callback in versions up to, and including, 6.2.3. The vulnerability exists in the loginpress_on_github_login() function, which blindly trusts the first element (profile[0]['email']) of the array returned by GitHub's /user/emails endpoint as an account-binding identifier without verifying that the email carries a verified === true status. This makes it possible for unauthenticated attackers to log in as any existing WordPress user, including administrators, by adding an unverified email address matching a local account to their GitHub profile and triggering the OAuth callback via a crafted code parameter β€” causing the plugin to call get_user_by('email', ...) and establish an authenticated session for the matched account. Practical exploitation is conditional on GitHub returning the attacker-added unverified email at index 0 of the /user/emails response, as GitHub typically prioritizes the primary verified address first; nonetheless, the absence of any email verification check in the plugin constitutes a fundamental authentication bypass flaw.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wp_loginpress loginpress_pro to 6.2.3 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The LoginPress Pro plugin for WordPress has a vulnerability in its GitHub OAuth login process. Specifically, the plugin's function loginpress_on_github_login() trusts the first email returned by GitHub's /user/emails endpoint without checking if that email is verified. This allows an attacker to add an unverified email address to their GitHub profile that matches an existing WordPress user’s email and then log in as that user, including administrators, by triggering the OAuth callback with a crafted code parameter.

The core issue is that the plugin does not verify the 'verified' status of the email, which is a fundamental flaw leading to authentication bypass.

Impact Analysis

This vulnerability can allow unauthenticated attackers to gain unauthorized access to any existing WordPress user account, including those with administrative privileges. This means attackers could take control of the website, modify content, change settings, or perform other malicious actions as if they were legitimate users.

Compliance Impact

The vulnerability in the LoginPress Pro plugin allows unauthenticated attackers to bypass authentication and log in as any existing WordPress user, including administrators, by exploiting the lack of email verification in the GitHub OAuth callback.

Such an authentication bypass can lead to unauthorized access to sensitive personal data or protected health information stored on the affected WordPress site.

This unauthorized access could result in violations of compliance requirements under standards like GDPR and HIPAA, which mandate strict controls over access to personal and health data to protect user privacy and security.

Therefore, the vulnerability poses a significant risk to compliance by potentially enabling data breaches and unauthorized data exposure.

Mitigation Strategies

To mitigate this vulnerability, immediately update the LoginPress Pro plugin to a version later than 6.2.3 where the authentication bypass flaw is fixed.

As a temporary measure, consider disabling GitHub OAuth login integration in the plugin settings to prevent exploitation via the vulnerable OAuth callback.

Additionally, monitor user login activity for suspicious logins that may indicate exploitation attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12597. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart