vulnerability

WordPress Plugin: melapress-login-security: CVE-2025-6895: Authentication Bypass Using an Alternate Path or Channel

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
10	(AV:N/AC:L/Au:N/C:C/I:C/A:C)	Jul 25, 2025	Jul 28, 2025	Jul 28, 2025

Severity

CVSS

(AV:N/AC:L/Au:N/C:C/I:C/A:C)

Published

Jul 25, 2025

Added

Jul 28, 2025

Modified

Jul 28, 2025

Description

The Melapress Login Security plugin for WordPress is vulnerable to Authentication Bypass due to missing authorization within the get_valid_user_based_on_token() function in versions 2.1.0 to 2.1.1. This makes it possible for unauthenticated attackers who know an arbitrary user meta value to bypass authentication checks and log in as that user.

Solution

melapress-login-security-plugin-cve-2025-6895

References

URL-https://www.cve.org/CVERecord?id=CVE-2025-6895
URL-https://www.wordfence.com/threat-intel/vulnerabilities/id/6f65d5c4-6f53-4836-9130-c9f4ed3be893?source=api-prod
CVE-2025-6895
https://attackerkb.com/topics/CVE-2025-6895
CWE-288

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today