Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Unauthenticated network attack (PR:N/AV:N) with no victim interaction but AC:H for the required non-default Spotify addon and a known target email; admin takeover yields C:H/I:H/A:H.
Primary rating from Vendor (wordfence).
CVSS VectorVendor: wordfence
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
The LoginPress Pro plugin for WordPress is vulnerable to authentication bypass in versions up to and including 6.2.3 via the Spotify Social Login addon. This is due to the loginpress_on_spotify_login() function trusting the unverified 'email' field returned by Spotify's /v1/me endpoint and using it directly with get_user_by('email', $profile['email']) to identify and log in an existing WordPress account, without confirming that the Spotify user actually owns the email address (Spotify documents that the profile email is unverified) and without requiring the user to prove ownership of the matching WordPress account. This makes it possible for unauthenticated attackers to log in as any existing WordPress user, including Administrators, by registering a Spotify account using the targeted user's email address and authenticating via the Spotify provider.
AnalysisAI
Authentication bypass in the LoginPress Pro WordPress plugin (versions ≤ 6.2.3) lets unauthenticated attackers log in as any existing user - including Administrators - when the Spotify Social Login addon is enabled. The flaw stems from the plugin trusting the unverified email returned by Spotify's /v1/me endpoint to match and authenticate a WordPress account, so an attacker who registers a Spotify account with a victim's email gains that victim's session. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target site runs LoginPress Pro ≤ 6.2.3 with the Spotify Social Login addon installed and enabled (a non-default, paid configuration), and that the attacker knows the email address of an existing WordPress account they wish to impersonate. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This is a genuine high-priority issue for any site running the specific vulnerable configuration, not merely a high-CVSS paper risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies the email address of a target WordPress administrator (often published or easily guessed), registers a new Spotify account using that same email, and then clicks 'Log in with Spotify' on the victim site. LoginPress Pro reads the unverified email from Spotify's /v1/me response, matches it to the administrator's account, and issues an authenticated admin session to the attacker - no password or MFA required by the social-login path. … |
| Remediation | No vendor-released patch version was identified in the provided data; the description confirms only that versions up to and including 6.2.3 are vulnerable, so administrators should monitor https://loginpress.pro/ and the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/bef61f05-a2dc-4f61-a5da-7161a9912196?source=cve) for a fixed release and upgrade to it as soon as available. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Disable the Spotify Social Login addon in LoginPress Pro unless operationally critical; immediately audit all administrator accounts for unauthorized access and review login audit logs for suspicious entries dating back to initial plugin deployment. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42760
GHSA-cvjp-944x-5rjq