Authentication Bypass Vulnerability in LoginPress Pro Plugin for WordPress
CVE-2026-12595

8.1HIGH

Key Information:

Vendor

WordPress

Vendor
CVE Published:
9 July 2026

What is CVE-2026-12595?

The LoginPress Pro plugin for WordPress contains a vulnerability in its Discord OAuth callback handler. It allows attackers to bypass authentication by exploiting the unverified email field returned from Discord's /users/@me endpoint. Without verifying the profile's authenticity, attackers can map this email directly to existing WordPress accounts using the get_user_by function, ultimately leading to unauthorized access. This security flaw potentially lets unauthenticated users take control of any WordPress user account, including those with administrative privileges, by simply registering a Discord account associated with a matching email address.

Affected Version(s)

LoginPress Pro 0 <= 6.2.3

References

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Nguyen Ngoc Duc (duc193)
.