Authentication Bypass in LoginPress Pro Plugin for WordPress
CVE-2026-12597
What is CVE-2026-12597?
The LoginPress Pro plugin for WordPress contains an authentication bypass vulnerability due to the improper handling of the GitHub OAuth callback. Specifically, it fails to validate the returned email address from GitHub’s /user/emails endpoint, which allows unauthenticated attackers to gain access to existing WordPress accounts by linking an unverified email to their GitHub profile. This flaw enables attackers to exploit the plugin’s reliance on the first item in the email array without adequate verification, potentially allowing them to log in as any user, including administrative accounts. As a result, WordPress websites using vulnerable versions of the LoginPress Pro plugin are at risk of unauthorized access. It is crucial for website administrators to update their plugins to safeguard against this significant security oversight.
Affected Version(s)
LoginPress Pro 0 <= 6.2.3