Authentication Bypass Vulnerability in LoginPress Pro Plugin by LoginPress
CVE-2026-12598

8.1HIGH

Key Information:

Vendor

WordPress

Vendor
CVE Published:
9 July 2026

What is CVE-2026-12598?

The LoginPress Pro plugin for WordPress contains an authentication bypass vulnerability due to a flaw in the Spotify Social Login addon. Versions up to and including 6.2.3 are susceptible. The function loginpress_on_spotify_login() improperly trusts the 'email' field returned from Spotify's unverified /v1/me endpoint, allowing attackers to log in as any existing WordPress user, including those with Administrator privileges. This is possible because attackers can create a Spotify account with a targeted user's email address and authenticate without confirming ownership of the WordPress account, posing serious security risks.

Affected Version(s)

LoginPress Pro 0 <= 6.2.3

References

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Nguyen Ngoc Duc (duc193)
.