Description
The LoginPress Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.0.1. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token.
Published: 2025-07-18
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Authentication bypass that permits unauthorized login as any existing user
Action: Immediate Patch
AI Analysis

Impact

LoginPress Pro plugin for WordPress up to version 5.0.1 has an authentication bypass that permits an unauthenticated attacker to log in as an existing user by submitting a WordPress.com OAuth token for that user's email. The flaw stems from insufficient verification of the user returned by the token, enabling attackers who know or can guess the target email to gain full site access, including administrator privileges, thereby compromising confidentiality, integrity, and availability.

Affected Systems

LoginPress Pro plugin for WordPress versions 5.0.1 and older.

Risk and Exploitability

The CVSS score of 9.8 classifies this vulnerability as critical, although its EPSS score of less than 1% indicates a low probability of exploitation at present. It is not listed in the CISA KEV catalog, so no public, confirmed exploits are known. The attack vector is inferred to be remote, requiring an attacker to supply a WordPress.com OAuth token for a valid email address; once the token is accepted, the attacker can assume the account’s privileges.

Generated by OpenCVE AI on April 21, 2026 at 03:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LoginPress Pro to the latest version (5.0.2 or newer) as soon as it becomes available.
  • Temporarily disable WordPress.com OAuth or all social login options until the plugin is patched.
  • Monitor authentication logs for unexpected logins and consider implementing multi‑factor authentication to mitigate exposure.

Generated by OpenCVE AI on April 21, 2026 at 03:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21859 The LoginPress Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.0.1. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token.
History

Fri, 18 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 18 Jul 2025 08:45:00 +0000

Type Values Removed Values Added
Description The LoginPress Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.0.1. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token.
Title LoginPress Pro <= 5.0.1 - Authentication Bypass via WordPress.com OAuth provider
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:03:40.061Z

Reserved: 2025-07-10T19:51:23.413Z

Link: CVE-2025-7444

cve-icon Vulnrichment

Updated: 2025-07-18T13:44:32.300Z

cve-icon NVD

Status : Deferred

Published: 2025-07-18T09:15:27.333

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7444

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T04:00:10Z

Weaknesses