Description
The LoginPress Pro plugin for WordPress is vulnerable to Authentication Bypass via the GitHub OAuth callback in versions up to, and including, 6.2.3. The vulnerability exists in the loginpress_on_github_login() function, which blindly trusts the first element (profile[0]['email']) of the array returned by GitHub's /user/emails endpoint as an account-binding identifier without verifying that the email carries a verified === true status. This makes it possible for unauthenticated attackers to log in as any existing WordPress user, including administrators, by adding an unverified email address matching a local account to their GitHub profile and triggering the OAuth callback via a crafted code parameter — causing the plugin to call get_user_by('email', ...) and establish an authenticated session for the matched account. Practical exploitation is conditional on GitHub returning the attacker-added unverified email at index 0 of the /user/emails response, as GitHub typically prioritizes the primary verified address first; nonetheless, the absence of any email verification check in the plugin constitutes a fundamental authentication bypass flaw.
No analysis available yet.
Remediation
No remediation available yet.
Tracking
Sign in to view the affected projects.
Advisories
No advisories yet.
References
History
Fri, 10 Jul 2026 00:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Loginpress
Loginpress loginpress Pro Wordpress Wordpress wordpress |
|
| Vendors & Products |
Loginpress
Loginpress loginpress Pro Wordpress Wordpress wordpress |
Thu, 09 Jul 2026 23:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The LoginPress Pro plugin for WordPress is vulnerable to Authentication Bypass via the GitHub OAuth callback in versions up to, and including, 6.2.3. The vulnerability exists in the loginpress_on_github_login() function, which blindly trusts the first element (profile[0]['email']) of the array returned by GitHub's /user/emails endpoint as an account-binding identifier without verifying that the email carries a verified === true status. This makes it possible for unauthenticated attackers to log in as any existing WordPress user, including administrators, by adding an unverified email address matching a local account to their GitHub profile and triggering the OAuth callback via a crafted code parameter — causing the plugin to call get_user_by('email', ...) and establish an authenticated session for the matched account. Practical exploitation is conditional on GitHub returning the attacker-added unverified email at index 0 of the /user/emails response, as GitHub typically prioritizes the primary verified address first; nonetheless, the absence of any email verification check in the plugin constitutes a fundamental authentication bypass flaw. | |
| Title | LoginPress Pro <= 6.2.3 - Unauthenticated Authentication Bypass via Unverified OAuth Email via GitHub OAuth Callback | |
| Weaknesses | CWE-287 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: Wordfence
Published:
Updated: 2026-07-09T23:30:08.882Z
Reserved: 2026-06-18T10:21:22.717Z
Link: CVE-2026-12597
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-10T00:30:06Z
Weaknesses
-
CWE-287
Improper Authentication