Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Unauthenticated network-reachable WordPress plugin endpoint with no user interaction yields privilege escalation to admin, giving full C/I/A impact on the site.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Privilege Escalation in LoginPress Pro <= 6.2.2 versions.
AnalysisAI
Unauthenticated privilege escalation in LoginPress Pro WordPress plugin versions 6.2.2 and earlier allows remote attackers without credentials to elevate privileges on affected WordPress sites. Reported by Patchstack with a CVSS 9.8 critical rating, the flaw maps to CWE-266 (Incorrect Privilege Assignment) and no public exploit identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Target WordPress site must have the LoginPress Pro plugin installed and activated at version 6.2.2 or earlier, with the plugin's HTTP endpoints reachable by the attacker (the standard WordPress deployment exposes wp-admin/admin-ajax.php and wp-json REST routes publicly). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | All available signals point to high real-world risk: the CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N is the worst-case profile (remote, low complexity, no privileges, no user interaction) and the C:H/I:H/A:H impact translates directly to full WordPress site compromise. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker scans the internet for WordPress sites running LoginPress Pro, then issues a crafted unauthenticated HTTP request to the vulnerable plugin endpoint to grant themselves (or a newly created account) administrator privileges. With admin access they install a malicious plugin or theme to achieve full RCE, exfiltrate the WordPress database, and persist via a backdoor user - all without any credentials or user interaction. |
| Remediation | Patch available per vendor advisory: upgrade LoginPress Pro to the version released after 6.2.2 as listed in the Patchstack record at https://patchstack.com/database/wordpress/plugin/loginpress-pro/vulnerability/wordpress-loginpress-pro-plugin-6-2-2-privilege-escalation-vulnerability; the exact fixed version is not independently confirmed in the input data and should be verified against the LoginPress changelog before deployment. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all WordPress installations using LoginPress Pro versions ≤6.2.2; immediately disable the plugin or restrict WordPress login page access via IP allowlist and Web Application Firewall rules as emergency containment. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37613