Authentication Bypass Vulnerability in LoginPress Pro Plugin by LoginPress
CVE-2026-12598
8.1HIGH
What is CVE-2026-12598?
The LoginPress Pro plugin for WordPress contains an authentication bypass vulnerability due to a flaw in the Spotify Social Login addon. Versions up to and including 6.2.3 are susceptible. The function loginpress_on_spotify_login() improperly trusts the 'email' field returned from Spotify's unverified /v1/me endpoint, allowing attackers to log in as any existing WordPress user, including those with Administrator privileges. This is possible because attackers can create a Spotify account with a targeted user's email address and authenticate without confirming ownership of the WordPress account, posing serious security risks.
Affected Version(s)
LoginPress Pro 0 <= 6.2.3