The LoginPress Pro plugin for WordPress is vulnerable to Authentication Bypass via Unverified OAuth Email in all versions up to and including 6.2.3. The vulnerability exists in the loginpress_on_discord_login() Discord OAuth callback handler, which accepts the email field returned by Discord's /users/@me endpoint without ever checking that the profile's verified flag is true, then directly maps that email to a local WordPress account via get_user_by('email', $profile['email']) and issues an authenticated session cookie via wp_set_auth_cookie(). This makes it possible for unauthenticated attackers to take over any existing WordPress account — including administrator accounts — by registering a Discord account configured with an unverified email address that matches the target user's registered WordPress email and completing the standard Discord OAuth flow.
Metrics
Affected Vendors & Products
References
History
Fri, 10 Jul 2026 00:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Loginpress
Loginpress loginpress Pro Wordpress Wordpress wordpress |
|
| Vendors & Products |
Loginpress
Loginpress loginpress Pro Wordpress Wordpress wordpress |
Thu, 09 Jul 2026 23:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The LoginPress Pro plugin for WordPress is vulnerable to Authentication Bypass via Unverified OAuth Email in all versions up to and including 6.2.3. The vulnerability exists in the loginpress_on_discord_login() Discord OAuth callback handler, which accepts the email field returned by Discord's /users/@me endpoint without ever checking that the profile's verified flag is true, then directly maps that email to a local WordPress account via get_user_by('email', $profile['email']) and issues an authenticated session cookie via wp_set_auth_cookie(). This makes it possible for unauthenticated attackers to take over any existing WordPress account — including administrator accounts — by registering a Discord account configured with an unverified email address that matches the target user's registered WordPress email and completing the standard Discord OAuth flow. | |
| Title | LoginPress Pro <= 6.2.3 - Unauthenticated Authentication Bypass via Unverified OAuth Email via Discord OAuth Callback | |
| Weaknesses | CWE-287 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: Wordfence
Published:
Updated: 2026-07-09T23:30:09.414Z
Reserved: 2026-06-18T10:15:01.785Z
Link: CVE-2026-12595
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-10T00:30:06Z