Skip to main content

LoginPress Pro CVE-2026-49058

| EUVDEUVD-2026-37613 CRITICAL
Incorrect Privilege Assignment (CWE-266)
2026-06-17 Patchstack
9.8
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Unauthenticated network-reachable WordPress plugin endpoint with no user interaction yields privilege escalation to admin, giving full C/I/A impact on the site.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 12:06 vuln.today

DescriptionCVE.org

Unauthenticated Privilege Escalation in LoginPress Pro <= 6.2.2 versions.

AnalysisAI

Unauthenticated privilege escalation in LoginPress Pro WordPress plugin versions 6.2.2 and earlier allows remote attackers without credentials to elevate privileges on affected WordPress sites. Reported by Patchstack with a CVSS 9.8 critical rating, the flaw maps to CWE-266 (Incorrect Privilege Assignment) and no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running LoginPress Pro
Delivery
Send crafted request to vulnerable plugin endpoint
Exploit
Trigger incorrect privilege assignment
Execution
Obtain administrator-level access
Persist
Install malicious plugin or backdoor
Impact
Exfiltrate data and persist

Vulnerability AssessmentAI

Exploitation Target WordPress site must have the LoginPress Pro plugin installed and activated at version 6.2.2 or earlier, with the plugin's HTTP endpoints reachable by the attacker (the standard WordPress deployment exposes wp-admin/admin-ajax.php and wp-json REST routes publicly). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All available signals point to high real-world risk: the CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N is the worst-case profile (remote, low complexity, no privileges, no user interaction) and the C:H/I:H/A:H impact translates directly to full WordPress site compromise. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker scans the internet for WordPress sites running LoginPress Pro, then issues a crafted unauthenticated HTTP request to the vulnerable plugin endpoint to grant themselves (or a newly created account) administrator privileges. With admin access they install a malicious plugin or theme to achieve full RCE, exfiltrate the WordPress database, and persist via a backdoor user - all without any credentials or user interaction.
Remediation Patch available per vendor advisory: upgrade LoginPress Pro to the version released after 6.2.2 as listed in the Patchstack record at https://patchstack.com/database/wordpress/plugin/loginpress-pro/vulnerability/wordpress-loginpress-pro-plugin-6-2-2-privilege-escalation-vulnerability; the exact fixed version is not independently confirmed in the input data and should be verified against the LoginPress changelog before deployment. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all WordPress installations using LoginPress Pro versions ≤6.2.2; immediately disable the plugin or restrict WordPress login page access via IP allowlist and Web Application Firewall rules as emergency containment. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-49058 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy