{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/loginpress/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-12598"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["LoginPress Pro plugin \u003c= 6.2.3","WordPress"],"_cs_severities":["high"],"_cs_tags":["wordpress","plugin","authentication-bypass","web"],"_cs_type":"advisory","_cs_vendors":["LoginPress","WordPress"],"content_html":"\u003cp\u003eA critical authentication bypass vulnerability, identified as CVE-2026-12598, has been discovered in the LoginPress Pro plugin for WordPress, impacting all versions up to and including 6.2.3. This flaw specifically resides within the Spotify Social Login addon, which incorrectly trusts the unverified 'email' field returned by Spotify's \u003ccode\u003e/v1/me\u003c/code\u003e API endpoint. The plugin's \u003ccode\u003eloginpress_on_spotify_login()\u003c/code\u003e function uses this untrusted email address directly with \u003ccode\u003eget_user_by('email', $profile['email'])\u003c/code\u003e to identify and log in an existing WordPress account, without confirming the Spotify user actually owns the email or requiring proof of ownership for the matching WordPress account. This oversight creates a severe security loophole, allowing unauthenticated attackers to impersonate and gain full control over any WordPress user account, including those with administrator privileges, by simply registering a Spotify account using the target's email address and then authenticating via the Spotify provider on the vulnerable WordPress site.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a target WordPress user's email address on a site running the vulnerable LoginPress Pro plugin.\u003c/li\u003e\n\u003cli\u003eAttacker creates a new Spotify account using the target's email address.\u003c/li\u003e\n\u003cli\u003eAttacker navigates to the vulnerable WordPress site's login page, which offers \u0026quot;Login with Spotify\u0026quot; via the LoginPress Pro plugin.\u003c/li\u003e\n\u003cli\u003eAttacker initiates the \u0026quot;Login with Spotify\u0026quot; authentication flow.\u003c/li\u003e\n\u003cli\u003eThe LoginPress Pro plugin requests user profile information, including the 'email' field, from Spotify's \u003ccode\u003e/v1/me\u003c/code\u003e API endpoint.\u003c/li\u003e\n\u003cli\u003eSpotify's API returns the profile data, including the attacker-controlled (but target's) email address, which Spotify documents as unverified.\u003c/li\u003e\n\u003cli\u003eThe plugin's \u003ccode\u003eloginpress_on_spotify_login()\u003c/code\u003e function directly uses this unverified 'email' field to query for an existing WordPress user account via \u003ccode\u003eget_user_by('email', $profile['email'])\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eUpon successfully finding a matching WordPress user account based on the email, the plugin authenticates the attacker as that WordPress user, bypassing any password verification, and granting full account access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-12598 grants an unauthenticated attacker full account takeover capabilities over any WordPress user on a vulnerable site, including administrators. This can lead to complete compromise of the WordPress site, data exfiltration, website defacement, arbitrary code execution via plugin/theme editor, and further network penetration. The vulnerability applies to any WordPress instance using the LoginPress Pro plugin with the Spotify Social Login addon enabled, posing a significant risk to the integrity and confidentiality of websites and their user data across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-12598 immediately by updating the LoginPress Pro plugin to a version greater than 6.2.3.\u003c/li\u003e\n\u003cli\u003eIf immediate patching of the LoginPress Pro plugin is not feasible, disable the Spotify Social Login addon within the plugin as a temporary mitigation to prevent exploitation.\u003c/li\u003e\n\u003cli\u003eReview WordPress audit logs for any suspicious login activity, particularly for administrator accounts, especially if originating from the Spotify Social Login method after July 10, 2026.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-10T00:20:06Z","date_published":"2026-07-10T00:20:06Z","id":"https://feed.craftedsignal.io/briefs/2026-07-loginpress-pro-auth-bypass/","summary":"An authentication bypass vulnerability (CVE-2026-12598) exists in the LoginPress Pro plugin for WordPress, affecting versions up to and including 6.2.3 within the Spotify Social Login addon, enabling unauthenticated attackers to log in as any existing WordPress user, including administrators, by registering a Spotify account with the target's email.","title":"CVE-2026-12598: LoginPress Pro WordPress Plugin Authentication Bypass","url":"https://feed.craftedsignal.io/briefs/2026-07-loginpress-pro-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - LoginPress","version":"https://jsonfeed.org/version/1.1"}