CVE-2026-12595 in Pro Plugin
Summary
by MITRE • 07/10/2026
The LoginPress Pro plugin for WordPress is vulnerable to Authentication Bypass via Unverified OAuth Email in all versions up to and including 6.2.3. The vulnerability exists in the loginpress_on_discord_login() Discord OAuth callback handler, which accepts the email field returned by Discord's /users/@me endpoint without ever checking that the profile's verified flag is true, then directly maps that email to a local WordPress account via get_user_by('email', $profile['email']) and issues an authenticated session cookie via wp_set_auth_cookie(). This makes it possible for unauthenticated attackers to take over any existing WordPress account — including administrator accounts — by registering a Discord account configured with an unverified email address that matches the target user's registered WordPress email and completing the standard Discord OAuth flow.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/10/2026
The LoginPress Pro plugin for WordPress presents a critical authentication bypass vulnerability that undermines the security of WordPress installations through improper validation of third-party OAuth email verification. This flaw affects all versions up to and including 6.2.3, making it a widespread concern across numerous WordPress deployments. The vulnerability specifically manifests within the loginpress_on_discord_login() callback handler that processes Discord OAuth authentication responses, creating a pathway for malicious actors to exploit the trust placed in third-party identity providers without proper verification checks.
The technical implementation of this vulnerability stems from the plugin's failure to validate the verified flag returned by Discord's /users/@me endpoint during the OAuth authentication process. When users authenticate through Discord, the platform returns user profile information including email addresses and a boolean flag indicating whether the email has been verified by Discord itself. However, the LoginPress Pro plugin completely disregards this verification status and directly accepts any email address provided by the OAuth provider, regardless of its verification state. This oversight creates a fundamental security gap where attackers can manipulate the authentication flow by simply registering a Discord account with an unverified email address that matches an existing WordPress user's email.
The operational impact of this vulnerability extends beyond simple privilege escalation to enable complete account takeover scenarios that can compromise entire WordPress installations. Attackers can systematically target specific users by creating Discord accounts using verified email addresses that match legitimate WordPress user accounts, particularly administrator accounts. Once the malicious Discord account is established, completing the standard OAuth flow triggers the plugin's vulnerable code path where get_user_by('email', $profile['email']) retrieves the existing WordPress user account and wp_set_auth_cookie() issues a valid authentication session cookie. This process effectively grants attackers full administrative privileges over targeted WordPress installations without requiring any legitimate credentials or knowledge of user passwords.
This vulnerability aligns with CWE-287, which addresses improper authentication issues in software systems, specifically targeting the lack of proper verification mechanisms for third-party identity providers. The flaw also corresponds to ATT&CK technique T1078.004, which describes valid accounts usage through legitimate authentication processes that are then exploited for unauthorized access. The attack vector requires minimal skill level as it exploits existing OAuth implementation patterns rather than requiring complex exploitation techniques, making it particularly dangerous in environments where WordPress administrators rely on third-party authentication plugins for user management.
The security implications of this vulnerability extend to potential data breaches, content manipulation, and complete system compromise when attackers gain administrative access. WordPress installations using LoginPress Pro become vulnerable to unauthorized modifications, plugin installations, theme changes, and database alterations that can persist even after the initial compromise is detected. Organizations relying on this plugin for user authentication face significant risk exposure, particularly in environments where administrators have elevated privileges or where the WordPress installation contains sensitive information.
Mitigation strategies should prioritize immediate plugin updates to versions that address the verification bypass vulnerability, with administrators verifying that the updated version properly validates Discord's verified email flag before proceeding with account mapping. Security teams should also implement additional monitoring for unusual authentication patterns and consider disabling OAuth login methods until proper validation is confirmed. Organizations may need to conduct comprehensive security audits of their WordPress installations to identify other plugins that might exhibit similar authentication bypass vulnerabilities, particularly those implementing third-party OAuth integration without proper verification checks. The recommended approach includes implementing multi-factor authentication as an additional layer of protection and establishing strict policies for OAuth provider configuration that mandate email verification requirements before enabling automated account mapping processes.