Authentication Bypass in LoginPress Pro Plugin for WordPress
CVE-2026-12597

8.1HIGH

Key Information:

Vendor

WordPress

Vendor
CVE Published:
9 July 2026

What is CVE-2026-12597?

The LoginPress Pro plugin for WordPress contains an authentication bypass vulnerability due to the improper handling of the GitHub OAuth callback. Specifically, it fails to validate the returned email address from GitHub’s /user/emails endpoint, which allows unauthenticated attackers to gain access to existing WordPress accounts by linking an unverified email to their GitHub profile. This flaw enables attackers to exploit the plugin’s reliance on the first item in the email array without adequate verification, potentially allowing them to log in as any user, including administrative accounts. As a result, WordPress websites using vulnerable versions of the LoginPress Pro plugin are at risk of unauthorized access. It is crucial for website administrators to update their plugins to safeguard against this significant security oversight.

Affected Version(s)

LoginPress Pro 0 <= 6.2.3

References

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Nguyen Ngoc Duc (duc193)
.