Home

Description

The LoginPress Pro plugin for WordPress is vulnerable to Authentication Bypass via Unverified OAuth Email in all versions up to and including 6.2.3. The vulnerability exists in the loginpress_on_discord_login() Discord OAuth callback handler, which accepts the email field returned by Discord's /users/@me endpoint without ever checking that the profile's verified flag is true, then directly maps that email to a local WordPress account via get_user_by('email', $profile['email']) and issues an authenticated session cookie via wp_set_auth_cookie(). This makes it possible for unauthenticated attackers to take over any existing WordPress account — including administrator accounts — by registering a Discord account configured with an unverified email address that matches the target user's registered WordPress email and completing the standard Discord OAuth flow.

PUBLISHED Reserved 2026-06-18 | Published 2026-07-09 | Updated 2026-07-10 | Assigner Wordfence




HIGH: 8.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-287 Improper Authentication

Product status

Default status
unaffected

Any version
affected

Timeline

2026-06-18:Vendor Notified
2026-07-09:Disclosed

Credits

Nguyen Ngoc Duc (duc193) finder

References

www.wordfence.com/...-2506-49be-9105-40ec2d2a4f77?source=cve

loginpress.pro/

cve.org (CVE-2026-12595)

nvd.nist.gov (CVE-2026-12595)

Download JSON