{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-7444", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-10T19:51:23.413Z", "datePublished": "2025-07-18T08:22:39.012Z", "dateUpdated": "2026-04-08T17:03:40.061Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:03:40.061Z"}, "affected": [{"vendor": "LoginPress", "product": "LoginPress Pro", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The LoginPress Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.0.1. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token."}], "title": "LoginPress Pro <= 5.0.1 - Authentication Bypass via WordPress.com OAuth provider", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/80fcb3af-0b27-4442-aca0-58626b68f0d9?source=cve"}, {"url": "https://loginpress.pro/changelog/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel", "cweId": "CWE-288", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "credits": [{"lang": "en", "type": "finder", "value": "Friderika Baranyai"}], "timeline": [{"time": "2025-07-11T13:22:19.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-07-17T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-18T13:44:29.027944Z", "id": "CVE-2025-7444", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-18T13:44:40.017Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-7444", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-07-18T13:44:29.027944Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-18T13:44:32.300Z"}}], "cna": {"title": "LoginPress Pro <= 5.0.1 - Authentication Bypass via WordPress.com OAuth provider", "credits": [{"lang": "en", "type": "finder", "value": "Friderika Baranyai"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "LoginPress", "product": "LoginPress Pro", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.0.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-11T13:22:19.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-07-17T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/80fcb3af-0b27-4442-aca0-58626b68f0d9?source=cve"}, {"url": "https://loginpress.pro/changelog/"}], "descriptions": [{"lang": "en", "value": "The LoginPress Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.0.1. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-288", "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:03:40.061Z"}}}, "cveMetadata": {"cveId": "CVE-2025-7444", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:03:40.061Z", "dateReserved": "2025-07-10T19:51:23.413Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-07-18T08:22:39.012Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The LoginPress Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.0.1. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token."}, {"lang": "es", "value": "El complemento LoginPress Pro para WordPress es vulnerable a la omisi\u00f3n de autenticaci\u00f3n en todas las versiones hasta la 5.0.1 incluida. Esto se debe a una verificaci\u00f3n insuficiente del usuario que devuelve el token de inicio de sesi\u00f3n social. Esto permite que atacantes no autenticados inicien sesi\u00f3n como cualquier usuario del sitio, como un administrador, si tienen acceso al correo electr\u00f3nico y el usuario no tiene una cuenta existente en el servicio que devuelve el token."}], "id": "CVE-2025-7444", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-07-18T09:15:27.333", "references": [{"source": "security@wordfence.com", "url": "https://loginpress.pro/changelog/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/80fcb3af-0b27-4442-aca0-58626b68f0d9?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-288"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T03:57:31.172102+00:00", "value": {"mitigation_remediation": ["Upgrade LoginPress Pro to the latest version (5.0.2 or newer) as soon as it becomes available.", "Temporarily disable WordPress.com OAuth or all social login options until the plugin is patched.", "Monitor authentication logs for unexpected logins and consider implementing multi\u2011factor authentication to mitigate exposure."], "summary": {"action": "Immediate Patch", "impact": "Authentication bypass that permits unauthorized login as any existing user"}, "threat_synthesis": {"affected_systems": "LoginPress Pro plugin for WordPress versions 5.0.1 and older.", "description_and_impact": "LoginPress Pro plugin for WordPress up to version 5.0.1 has an authentication bypass that permits an unauthenticated attacker to log in as an existing user by submitting a WordPress.com OAuth token for that user's email. The flaw stems from insufficient verification of the user returned by the token, enabling attackers who know or can guess the target email to gain full site access, including administrator privileges, thereby compromising confidentiality, integrity, and availability.", "risk_and_exploitability": "The CVSS score of 9.8 classifies this vulnerability as critical, although its EPSS score of less than 1% indicates a low probability of exploitation at present. It is not listed in the CISA KEV catalog, so no public, confirmed exploits are known. The attack vector is inferred to be remote, requiring an attacker to supply a WordPress.com OAuth token for a valid email address; once the token is accepted, the attacker can assume the account\u2019s privileges."}}}}, "created": "2025-07-21T15:17:12.398835+00:00", "updated": "2026-04-21T04:00:10.073746+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}