PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-12598 LoginPress CVE debrief

The LoginPress Pro plugin for WordPress has an authentication bypass vulnerability in versions up to and including 6.2.3 via the Spotify Social Login addon. This vulnerability allows unauthenticated attackers to log in as any existing WordPress user, including Administrators, by registering a Spotify account using the targeted user's email address and authenticating via the Spotify provider. The vulnerability exists due to the loginpress_on_spotify_login() function trusting the unverified 'email' field returned by Spotify's /v1/me endpoint and using it directly with get_user_by('email', $profile['email']) to identify and log in an existing WordPress account, without confirming that the Spotify user actually owns the email address and without requiring the user to prove ownership of the matching WordPress account.

Vendor
LoginPress
Product
LoginPress Pro
CVSS
HIGH 8.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

WordPress users with LoginPress Pro plugin installed, especially those using the Spotify Social Login addon, should be aware of this vulnerability and take immediate action to protect their sites. Site administrators and security teams should review the vulnerability details and implement necessary mitigations to prevent unauthorized access.

Technical summary

The vulnerability exists in the loginpress_on_spotify_login() function, which uses the unverified 'email' field from Spotify's /v1/me endpoint to identify and log in existing WordPress accounts without confirming ownership of the email address or requiring users to prove ownership of the matching WordPress account. This allows attackers to bypass authentication and potentially gain unauthorized access to WordPress sites using the vulnerable plugin.

Defensive priority

High priority due to the high CVSS score of 8.1 and the potential for unauthenticated attackers to log in as any existing WordPress user, including Administrators.

Recommended defensive actions

  • Update LoginPress Pro plugin to a version that fixes the authentication bypass vulnerability
  • Implement additional monitoring and logging to detect potential exploitation attempts
  • Review and restrict access to sensitive areas of the WordPress site
  • Consider implementing additional security measures such as two-factor authentication
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-10T00:16:32.727Z and last modified on 2026-07-10T19:17:20.113Z. The NVD entry is currently Deferred. The LoginPress Pro plugin for WordPress has an authentication bypass vulnerability in versions up to and including 6.2.3 via the Spotify Social Login addon. Evidence of exploitation is not currently available, but defenders should verify affected deployments and review logs for potential unauthorized access attempts.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T00:16:32.727Z and has not been modified since then. The NVD entry is currently Deferred.