MelaPress Login Security 2.1.0 – 2.1.1 – Authentication Bypass to Privilege Escalation via get_valid_user_based_on_token Function

July 26, 2025 invoker category_cve

CVE Details

Basic Information

Title MelaPress Login Security 2.1.0 – 2.1.1 – Authentication Bypass to Privilege Escalation via get_valid_user_based_on_token Function
Type cve
Published 2025-07-26T04:25:24.963Z
Modified 2025-07-26T04:25:24.963Z

Product Information

Vendor melapress
Product Melapress Login Security
Version 2.1.0

CVSS Information

Base Score 9.8 (CRITICAL)
Attack Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products

  • melapress Melapress Login Security 2.1.0

Additional Information

CWE List CWE-288
Source Wordfence

Description

The Melapress Login Security plugin for WordPress is vulnerable to Authentication Bypass due to missing authorization within the get_valid_user_based_on_token() function in versions 2.1.0 to 2.1.1. This makes it possible for unauthenticated attackers who know an arbitrary user meta value to bypass authentication checks and log in as that user.

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.