CVE-2026-12597 in Pro Plugin
Summary
by MITRE • 07/10/2026
The LoginPress Pro plugin for WordPress is vulnerable to Authentication Bypass via the GitHub OAuth callback in versions up to, and including, 6.2.3. The vulnerability exists in the loginpress_on_github_login() function, which blindly trusts the first element (profile[0]['email']) of the array returned by GitHub's /user/emails endpoint as an account-binding identifier without verifying that the email carries a verified === true status. This makes it possible for unauthenticated attackers to log in as any existing WordPress user, including administrators, by adding an unverified email address matching a local account to their GitHub profile and triggering the OAuth callback via a crafted code parameter — causing the plugin to call get_user_by('email', ...) and establish an authenticated session for the matched account. Practical exploitation is conditional on GitHub returning the attacker-added unverified email at index 0 of the /user/emails response, as GitHub typically prioritizes the primary verified address first; nonetheless, the absence of any email verification check in the plugin constitutes a fundamental authentication bypass flaw.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/10/2026
The LoginPress Pro plugin for WordPress presents a critical authentication bypass vulnerability through its GitHub OAuth implementation that affects versions up to and including 6.2.3. This flaw resides within the loginpress_on_github_login() function where the plugin performs an insecure trust relationship with GitHub's API responses. The vulnerability stems from the plugin's failure to validate email verification status when processing OAuth callbacks, creating a pathway for unauthorized access that directly contradicts established security practices for authentication mechanisms.
The technical implementation of this vulnerability exploits the trust model between WordPress and GitHub's OAuth service by blindly accepting the first email address returned from GitHub's /user/emails endpoint without proper verification checks. When an attacker adds an unverified email address that matches an existing WordPress user account to their GitHub profile, the plugin's code path executes get_user_by('email', ...) using this unverified email address as the identifier. This design flaw allows attackers to bypass normal authentication procedures and gain administrative access to WordPress sites where LoginPress Pro is installed.
The operational impact of this vulnerability extends beyond simple privilege escalation as it enables attackers to assume full administrative control over targeted WordPress installations. Attackers can leverage this bypass to modify website content, install malicious plugins, compromise user data, and potentially use the compromised site for further attacks within their network. The vulnerability's conditional nature means that successful exploitation requires specific circumstances where GitHub returns the attacker-added unverified email at index 0 of the response array, but the fundamental flaw remains regardless of these conditions.
This authentication bypass vulnerability aligns with CWE-287 which addresses improper authentication issues in software systems. The flaw also maps to ATT&CK technique T1078.004 which covers valid accounts and T1566.002 which involves phishing through social media platforms, as attackers can manipulate their GitHub profiles to exploit this specific weakness. Organizations using LoginPress Pro should immediately implement mitigations including updating to patched versions, implementing additional authentication layers, or disabling the problematic OAuth functionality until proper security measures are in place.
The vulnerability demonstrates a fundamental flaw in API integration security where third-party authentication services are trusted without proper verification mechanisms. Security best practices dictate that authentication systems should never assume the validity of external identifiers without explicit verification, particularly when those identifiers represent critical access control functions. The lack of email verification checking represents a complete failure to implement proper input validation and trust verification procedures that are essential for maintaining secure authentication flows in web applications.