CVE-2025-46255 - Vulnerability Details

- WordPress LoginWP - Pro Plugin <= 4.0.8.5 - Settings Change vulnerability

Description

Missing Authorization vulnerability in Marketing Fire LLC LoginWP - Pro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects LoginWP - Pro: from n/a through 4.0.8.5.

Published: 2026-01-05

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Missing authorization in the Marketing Fire LLC LoginWP - Pro plugin allows an attacker to invoke functions that should be protected by access control lists. The vulnerability enables the unauthenticated or partially authenticated attacker to alter plugin settings, which could lead to unauthorized configuration changes and potentially elevate privileges within the WordPress installation.

Affected Systems

The vulnerability affects Marketing Fire LLC’s WordPress LoginWP - Pro plugin, specifically all versions from an unspecified earlier release through 4.0.8.5. Any WordPress site using versions of this plugin up to and including 4.0.8.5 is impacted.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, while the EPSS score of <1% shows a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector requires at least authentication within the WordPress system, possibly via a normal user account, to manipulate plugin settings. The primary exploit risk is unauthorized configuration changes, which may be leveraged for further compromise within the application.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Marketing Fire LLC

LoginWP - Pro

unaffected

Version	Status	Constraints
`n/a`	affected	≤ 4.0.8.5

No data.

Vendor	Product	Confidence	Versions
Marketing Fire	Loginwp	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

Update the WordPress LoginWP - Pro wordpress plugin to the latest available version (at least 4.0.8.6).

OpenCVE Recommended Actions

Update LoginWP - Pro to version 4.0.8.6 or later as advised by the vendor
Restrict the plugin’s settings administration to trusted user roles only to enforce proper access control
Audit the plugin’s settings and logs after the upgrade to confirm that no unauthorized changes remain

Generated by OpenCVE AI on April 30, 2026 at 14:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00033.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://patchstack.com/database/wordpress/plugin/loginwp-pro/vulnerability/wordpress-loginwp-pro-plugin-4-0-8-5-settings-change-vulnerability?_s_id=cve

History

Tue, 28 Apr 2026 19:45:00 +0000

Type	Values Removed	Values Added
References	https://patchstack.com/database/Wordpress/Plugin/loginwp-pro/vulnerability/wordpress-loginwp-pro-plugin-4-0-8-5-settings-change-vulnerability?_s_id=cve

Tue, 28 Apr 2026 18:30:00 +0000

Type	Values Removed	Values Added
Description	Missing Authorization vulnerability in Marketing Fire LLC LoginWP - Pro loginwp-pro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects LoginWP - Pro: from n/a through <= 4.0.8.5.	Missing Authorization vulnerability in Marketing Fire LLC LoginWP - Pro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects LoginWP - Pro: from n/a through 4.0.8.5.
References		https://patchstack.com/database/wordpress/plugin/loginwp-pro/vulnerability/wordpress-loginwp-pro-plugin-4-0-8-5-settings-change-vulnerability?_s_id=cve

Thu, 23 Apr 2026 15:30:00 +0000

Type	Values Removed	Values Added
References	https://patchstack.com/database/wordpress/plugin/loginwp-pro/vulnerability/wordpress-loginwp-pro-plugin-4-0-8-5-settings-change-vulnerability?_s_id=cve

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description	Missing Authorization vulnerability in Marketing Fire LLC LoginWP - Pro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects LoginWP - Pro: from n/a through 4.0.8.5.	Missing Authorization vulnerability in Marketing Fire LLC LoginWP - Pro loginwp-pro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects LoginWP - Pro: from n/a through <= 4.0.8.5.
References		https://patchstack.com/database/Wordpress/Plugin/loginwp-pro/vulnerability/wordpress-loginwp-pro-plugin-4-0-8-5-settings-change-vulnerability?_s_id=cve

Tue, 20 Jan 2026 15:30:00 +0000

Type	Values Removed	Values Added
References	https://vdp.patchstack.com/database/wordpress/plugin/loginwp-pro/vulnerability/wordpress-loginwp-pro-plugin-4-0-8-5-settings-change-vulnerability?_s_id=cve

Tue, 20 Jan 2026 14:45:00 +0000

Type	Values Removed	Values Added
References		https://patchstack.com/database/wordpress/plugin/loginwp-pro/vulnerability/wordpress-loginwp-pro-plugin-4-0-8-5-settings-change-vulnerability?_s_id=cve

Tue, 06 Jan 2026 14:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Marketing Fire Marketing Fire loginwp Wordpress Wordpress wordpress
Vendors & Products		Marketing Fire Marketing Fire loginwp Wordpress Wordpress wordpress

Tue, 06 Jan 2026 00:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 05 Jan 2026 17:00:00 +0000

Type	Values Removed	Values Added
Description		Missing Authorization vulnerability in Marketing Fire LLC LoginWP - Pro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects LoginWP - Pro: from n/a through 4.0.8.5.
Title		WordPress LoginWP - Pro Plugin <= 4.0.8.5 - Settings Change vulnerability
Weaknesses		CWE-862
References		https://vdp.patchstack.com/database/wordpress/plugin/loginwp-pro/vulnerability/wordpress-loginwp-pro-plugin-4-0-8-5-settings-change-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}`

Subscriptions

Marketing Fire Loginwp

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2026-01-05T16:44:34.478Z

Updated: 2026-04-28T16:12:37.089Z

Reserved: 2025-04-22T09:21:51.395Z

Link: CVE-2025-46255

Vulnrichment

Updated: 2026-01-05T21:10:36.158Z

NVD

Status : Deferred

Published: 2026-01-05T17:15:45.480

Modified: 2026-04-28T19:32:10.690

Link: CVE-2025-46255

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-30T14:30:06Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object