CVE-2026-12598 in Pro Plugin
Summary
by MITRE • 07/10/2026
The LoginPress Pro plugin for WordPress is vulnerable to authentication bypass in versions up to and including 6.2.3 via the Spotify Social Login addon. This is due to the loginpress_on_spotify_login() function trusting the unverified 'email' field returned by Spotify's /v1/me endpoint and using it directly with get_user_by('email', $profile['email']) to identify and log in an existing WordPress account, without confirming that the Spotify user actually owns the email address (Spotify documents that the profile email is unverified) and without requiring the user to prove ownership of the matching WordPress account. This makes it possible for unauthenticated attackers to log in as any existing WordPress user, including Administrators, by registering a Spotify account using the targeted user's email address and authenticating via the Spotify provider.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/10/2026
The vulnerability in LoginPress Pro plugin versions up to 6.2.3 represents a critical authentication bypass flaw that directly undermines the security of WordPress installations relying on social login functionality. This weakness specifically affects the Spotify Social Login addon and stems from improper validation of user identity claims within the loginpress_on_spotify_login() function. The vulnerability operates by trusting unverified data returned from Spotify's API endpoint without implementing proper verification mechanisms, creating a pathway for unauthorized access that aligns with CWE-287 authentication bypass patterns.
The technical implementation of this flaw occurs when the plugin receives user profile information from Spotify's /v1/me endpoint and directly utilizes the email address contained in the response to search for existing WordPress users. This approach fails to validate that the authenticated Spotify user actually controls the email address they claim to own, as explicitly documented by Spotify itself. The function employs get_user_by('email', $profile['email']) without any additional verification steps, meaning an attacker can simply register a Spotify account using any valid WordPress user's email address and successfully authenticate as that user through the social login mechanism.
The operational impact of this vulnerability is severe and far-reaching within WordPress environments, particularly those where administrator accounts are configured to use Spotify social login. Attackers can exploit this weakness to gain unauthorized access to any existing WordPress user account, including high-privilege administrator roles, simply by creating a Spotify account with the target's email address. This authentication bypass enables attackers to perform arbitrary actions within the WordPress installation, potentially leading to complete system compromise, data exfiltration, or deployment of malicious payloads.
This vulnerability demonstrates a clear violation of fundamental security principles regarding identity verification and the principle of least privilege in access control systems. The flaw aligns with ATT&CK technique T1078.004 for valid accounts and T1566 for credential harvesting through social engineering approaches. Organizations implementing LoginPress Pro with Spotify social login functionality face significant risk exposure, as attackers can systematically target user accounts without requiring prior knowledge of passwords or other authentication credentials. The vulnerability represents a classic case of trusting unverified external data sources without proper validation mechanisms.
The recommended mitigation strategy involves immediate patching of the LoginPress Pro plugin to version 6.2.4 or later, which addresses this specific authentication bypass vulnerability through proper email verification procedures. Organizations should also implement additional security controls such as two-factor authentication for all administrative accounts and consider disabling social login options for high-privilege users until proper validation mechanisms are in place. Security monitoring should be enhanced to detect unusual login patterns from social providers, particularly when multiple accounts attempt to authenticate using the same email address across different sessions.