PatchSiren cyber security CVE debrief
CVE-2026-12595 LoginPress CVE debrief
The LoginPress Pro plugin for WordPress is vulnerable to Authentication Bypass via Unverified OAuth Email in all versions up to and including 6.2.3. The vulnerability exists in the loginpress_on_discord_login() Discord OAuth callback handler, which accepts the email field returned by Discord's /users/@me endpoint without ever checking that the profile's verified flag is true, then directly maps that email to a local WordPress account via get_user_by('email', $profile['email']) and issues an authenticated session cookie via wp_set_auth_cookie(). This makes it possible for unauthenticated attackers to take over any existing WordPress account — including administrator accounts — by registering a Discord account configured with an unverified email address that matches the target user's registered WordPress email and completing the standard Discord OAuth flow.
- Vendor
- LoginPress
- Product
- LoginPress Pro
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
Users of the LoginPress Pro plugin for WordPress should be aware of this vulnerability and take immediate action to protect their sites. This vulnerability could allow attackers to gain unauthorized access to WordPress accounts, including administrator accounts, which could lead to further exploitation and compromise of the site.
Technical summary
The LoginPress Pro plugin for WordPress is vulnerable to Authentication Bypass via Unverified OAuth Email. The vulnerability exists in the loginpress_on_discord_login() Discord OAuth callback handler. The handler accepts the email field returned by Discord's /users/@me endpoint without verifying the profile's verified flag. This allows an attacker to map an unverified email address to a local WordPress account and issue an authenticated session cookie.
Defensive priority
High
Recommended defensive actions
- Update the LoginPress Pro plugin to a version that fixes this vulnerability.
- Verify that all user accounts have valid and verified email addresses.
- Monitor user accounts for suspicious activity.
- Consider implementing additional security measures, such as two-factor authentication.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
Evidence notes
The CVE record was published on 2026-07-10T00:16:32.120Z and was last modified on 2026-07-10T15:43:30.330Z. The NVD entry is currently Deferred. The LoginPress Pro plugin for WordPress is vulnerable to Authentication Bypass via Unverified OAuth Email in all versions up to and including 6.2.3. Evidence of exploitation is limited, and defenders should verify affected deployments and monitor for suspicious activity.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T00:16:32.120Z and has not been modified since then. The NVD entry is currently Deferred.