CVE-2026-12598

HIGH

CVSS v3.1: 8.1

NetworkNo privilegesNo user interactionImproper AuthenticationVendor advisory ref

Source data as of:

At a glance

Severity
HIGH
CVSS
8.1 v3.1 · NVD
EPSS
EPSS not provided by FIRST.org for this CVE
CISA KEV
No
Type
Improper Authentication · NVD CWE
Attack conditions (CVSS vector)
NetworkNo privilegesNo user interaction · Source: NVD Vector
Published
2026-07-10 · Modified: 2026-07-10

CVSS / EPSS / KEV

CVSS v3.1 8.1 / 10 HIGH Source: NVD
EPSS EPSS not provided by FIRST.org for this CVE Source: FIRST.org
CISA KEV No Source: CISA

Source — CVSS: NVD · EPSS: FIRST.org · KEV: CISA. Data & Sources

Description

The LoginPress Pro plugin for WordPress is vulnerable to authentication bypass in versions up to and including 6.2.3 via the Spotify Social Login addon. This is due to the loginpress_on_spotify_login() function trusting the unverified 'email' field returned by Spotify's /v1/me endpoint and using it directly with get_user_by('email', $profile['email']) to identify and log in an existing WordPress account, without confirming that the Spotify user actually owns the email address (Spotify documents that the profile email is unverified) and without requiring the user to prove ownership of the matching WordPress account. This makes it possible for unauthenticated attackers to log in as any existing WordPress user, including Administrators, by registering a Spotify account using the targeted user's email address and authenticating via the Spotify provider.

Record details

CVE ID
CVE-2026-12598
CVSS (v3.1)
8.1 (HIGH)
Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability subscore
2.2
Impact subscore
5.9
CISA KEV
No
Weakness (CWE)
CWE-287
Affected configurations (CPE)
0
Published
2026-07-10
Modified
2026-07-10
Status
Received

References

Reference URLs as listed by NVD, grouped by a mechanical match on the link's host/pattern. Labels describe the link type only.