CVE-2025-39561 - Vulnerability Details

- WordPress LoginWP - Pro Plugin <= 4.0.8.5 - Broken Access Control vulnerability

Description

Missing Authorization vulnerability in Marketing Fire, LLC LoginWP - Pro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects LoginWP - Pro: from n/a through 4.0.8.5.

Published: 2026-01-05

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Missing Authorization in the LoginWP – Pro plugin allows attackers to execute operations that are not properly protected by the plugin's access control lists. The flaw permits unauthorized use of features that should be restricted to certain user roles, thereby exposing the WordPress site to potential misuse of the plugin's administrative functions. This weakness is classified as CWE‑862 – Missing Authorization.

Affected Systems

Organizations that use the WordPress LoginWP – Pro plugin from Marketing Fire, LLC are impacted. All releases up to and including version 4.0.8.5 contain the flaw and are therefore vulnerable. The issue resides within the plugin’s internal administration code on a WordPress installation.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium severity vulnerability that could allow compromise of the plugin’s privileged functions. The EPSS score shows a very low probability of exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. The flaw can be exploited through the plugin’s web interface where authorization checks are missing; the likely attack vector is through standard WordPress administrative pages accessed by a user, though the specific prerequisites are not detailed in the advisory.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Marketing Fire, LLC

LoginWP - Pro

unaffected

Version	Status	Constraints
`n/a`	affected	≤ 4.0.8.5

No data.

Vendor	Product	Confidence	Versions
Marketing Fire	Loginwp	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

Update the WordPress LoginWP - Pro wordpress plugin to the latest available version (at least 4.0.8.6).

OpenCVE Recommended Actions

Update the LoginWP – Pro plugin to version 4.0.8.6 or later
Ensure that only users with appropriate roles can access the plugin's administration pages, and verify role‑based restrictions within WordPress
If the plugin is not essential, consider disabling or uninstalling it until a newer version is released; alternatively, block its admin URLs using an access‑control plugin or .htaccess rules

Generated by OpenCVE AI on April 30, 2026 at 14:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00073.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://patchstack.com/database/wordpress/plugin/loginwp-pro/vulnerability/wordpress-loginwp-pro-plugin-4-0-8-5-broken-access-control-vulnerability?_s_id=cve

History

Tue, 28 Apr 2026 19:45:00 +0000

Type	Values Removed	Values Added
References	https://patchstack.com/database/Wordpress/Plugin/loginwp-pro/vulnerability/wordpress-loginwp-pro-plugin-4-0-8-5-broken-access-control-vulnerability?_s_id=cve

Tue, 28 Apr 2026 18:30:00 +0000

Type	Values Removed	Values Added
Description	Missing Authorization vulnerability in Marketing Fire, LLC LoginWP - Pro loginwp-pro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects LoginWP - Pro: from n/a through <= 4.0.8.5.	Missing Authorization vulnerability in Marketing Fire, LLC LoginWP - Pro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects LoginWP - Pro: from n/a through 4.0.8.5.
References		https://patchstack.com/database/wordpress/plugin/loginwp-pro/vulnerability/wordpress-loginwp-pro-plugin-4-0-8-5-broken-access-control-vulnerability?_s_id=cve

Thu, 23 Apr 2026 15:30:00 +0000

Type	Values Removed	Values Added
References	https://patchstack.com/database/wordpress/plugin/loginwp-pro/vulnerability/wordpress-loginwp-pro-plugin-4-0-8-5-broken-access-control-vulnerability?_s_id=cve

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description	Missing Authorization vulnerability in Marketing Fire, LLC LoginWP - Pro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects LoginWP - Pro: from n/a through 4.0.8.5.	Missing Authorization vulnerability in Marketing Fire, LLC LoginWP - Pro loginwp-pro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects LoginWP - Pro: from n/a through <= 4.0.8.5.
References		https://patchstack.com/database/Wordpress/Plugin/loginwp-pro/vulnerability/wordpress-loginwp-pro-plugin-4-0-8-5-broken-access-control-vulnerability?_s_id=cve

Tue, 20 Jan 2026 15:30:00 +0000

Type	Values Removed	Values Added
References	https://vdp.patchstack.com/database/wordpress/plugin/loginwp-pro/vulnerability/wordpress-loginwp-pro-plugin-4-0-8-5-broken-access-control-vulnerability?_s_id=cve

Tue, 20 Jan 2026 14:45:00 +0000

Type	Values Removed	Values Added
References		https://patchstack.com/database/wordpress/plugin/loginwp-pro/vulnerability/wordpress-loginwp-pro-plugin-4-0-8-5-broken-access-control-vulnerability?_s_id=cve

Tue, 06 Jan 2026 14:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Marketing Fire Marketing Fire loginwp Wordpress Wordpress wordpress
Vendors & Products		Marketing Fire Marketing Fire loginwp Wordpress Wordpress wordpress

Tue, 06 Jan 2026 00:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 05 Jan 2026 17:00:00 +0000

Type	Values Removed	Values Added
Description		Missing Authorization vulnerability in Marketing Fire, LLC LoginWP - Pro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects LoginWP - Pro: from n/a through 4.0.8.5.
Title		WordPress LoginWP - Pro Plugin <= 4.0.8.5 - Broken Access Control vulnerability
Weaknesses		CWE-862
References		https://vdp.patchstack.com/database/wordpress/plugin/loginwp-pro/vulnerability/wordpress-loginwp-pro-plugin-4-0-8-5-broken-access-control-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}`

Subscriptions

Marketing Fire Loginwp

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2026-01-05T16:50:25.554Z

Updated: 2026-04-28T16:12:34.904Z

Reserved: 2025-04-16T06:25:01.731Z

Link: CVE-2025-39561

Vulnrichment

Updated: 2026-01-05T19:44:22.118Z

NVD

Status : Deferred

Published: 2026-01-05T17:15:45.330

Modified: 2026-04-28T19:32:05.390

Link: CVE-2025-39561

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-30T14:30:06Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object