PatchSiren cyber security CVE debrief
CVE-2026-12597 LoginPress CVE debrief
The LoginPress Pro plugin for WordPress has an authentication bypass vulnerability due to the GitHub OAuth callback implementation. This CVE was published on 2026-07-10T00:16:32.603Z and has not been modified since then. The NVD entry is currently Deferred. The vulnerability exists in the loginpress_on_github_login() function, which trusts the first element (profile[0]['email']) of the array returned by GitHub's /user/emails endpoint without verifying the email's verified status. This allows unauthenticated attackers to log in as any existing WordPress user by adding an unverified email address matching a local account to their GitHub profile and triggering the OAuth callback via a crafted code parameter. Practical exploitation is conditional on GitHub returning the attacker-added unverified email at index 0 of the /user/emails response.
- Vendor
- LoginPress
- Product
- LoginPress Pro
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
WordPress users with LoginPress Pro plugin installed should verify their version and update if necessary. Security teams monitoring WordPress vulnerabilities should prioritize this high-severity issue. Operators of affected systems should review the vulnerability details and plan for remediation. Vulnerability management teams should assess the potential impact and assign an owner for follow-up.
Technical summary
The LoginPress Pro plugin for WordPress is vulnerable to authentication bypass via the GitHub OAuth callback in versions up to, and including, 6.2.3. The vulnerability exists in the loginpress_on_github_login() function, which trusts the first element (profile[0]['email']) of the array returned by GitHub's /user/emails endpoint without verifying the email's verified status. This allows unauthenticated attackers to log in as any existing WordPress user by adding an unverified email address matching a local account to their GitHub profile and triggering the OAuth callback.
Defensive priority
High priority due to authentication bypass and potential for exploitation
Recommended defensive actions
- Update LoginPress Pro to a version beyond 6.2.3
- Monitor GitHub OAuth callback for suspicious activity
- Verify email verification status for GitHub OAuth users
- Implement additional authentication measures for WordPress users
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record and NVD entry provide details on the vulnerability. Limited information is available on exploitation or affected scope. Defenders should verify the GitHub OAuth callback implementation in LoginPress Pro plugin versions up to 6.2.3 and review email verification status for GitHub OAuth users. The plugin's authentication bypass vulnerability allows unauthenticated attackers to log in as any existing WordPress user by adding an unverified email address matching a local account to their GitHub profile and triggering the OAuth callback. Evidence limits suggest focusing on official advisories and CVE records for further details.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T00:16:32.603Z and has not been modified since then. The NVD entry is currently Deferred.