MelaPress Login Security 2.1.0 – 2.1.1 – Authentication Bypass to...

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

The Melapress Login Security plugin for WordPress is vulnerable to Authentication Bypass due to missing authorization within the get_valid_user_based_on_token() function in versions 2.1.0 to 2.1.1. This makes it possible for unauthenticated attackers who know an arbitrary user meta value to bypass authentication checks and log in as that user.

Basic Information

ID CVE-2025-6895

Source Wordfence

Published Jul 26, 2025 at 04:25

Modified Jul 28, 2025 at 18:33

Affected Product

Vendor melapress

Product Melapress Login Security

Version 2.1.0

Affected Versions melapress Melapress Login Security 2.1.0

CWE Classification

CWE-288

References

{
    "lastseen": "",
    "description": "The Melapress Login Security plugin for WordPress is vulnerable to Authentication Bypass due to missing authorization within the get_valid_user_based_on_token() function in versions 2.1.0 to 2.1.1. This makes it possible for unauthenticated attackers who know an arbitrary user meta value to bypass authentication checks and log in as that user.",
    "published": "2025-07-26T04:25:24.963Z",
    "modified": "2025-07-28T18:33:26.188Z",
    "type": "cve",
    "title": "MelaPress Login Security 2.1.0 - 2.1.1 - Authentication Bypass to Privilege Escalation via get_valid_user_based_on_token Function",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6f65d5c4-6f53-4836-9130-c9f4ed3be893?source=cve\nhttps://wordpress.org/plugins/melapress-login-security/#developers\nhttps://plugins.trac.wordpress.org/browser/melapress-login-security/tags/2.1.1/app/class-melapress-login-security.php\nhttps://plugins.trac.wordpress.org/browser/melapress-login-security/tags/2.1.1/app/modules/temporary-logins/class-temporary-logins.php\nhttps://plugins.trac.wordpress.org/changeset/3328137",
    "id": "CVE-2025-6895",
    "bulletinFamily": "",
    "cwe": [
        "CWE-288"
    ],
    "cvelist": null,
    "sourceData": "melapress Melapress Login Security 2.1.0",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Melapress Login Security",
    "version": "2.1.0",
    "vendor": "melapress",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

MelaPress Login Security 2.1.0 – 2.1.1 – Authentication Bypass to Privilege Escalation via get_valid_user_based_on_token Function_CVE-2025-6895