Authentication Bypass Vulnerability in LoginPress Pro Plugin for WordPress
CVE-2026-12595
8.1HIGH
What is CVE-2026-12595?
The LoginPress Pro plugin for WordPress contains a vulnerability in its Discord OAuth callback handler. It allows attackers to bypass authentication by exploiting the unverified email field returned from Discord's /users/@me endpoint. Without verifying the profile's authenticity, attackers can map this email directly to existing WordPress accounts using the get_user_by function, ultimately leading to unauthorized access. This security flaw potentially lets unauthenticated users take control of any WordPress user account, including those with administrative privileges, by simply registering a Discord account associated with a matching email address.
Affected Version(s)
LoginPress Pro 0 <= 6.2.3