CVE-2025-6895 - Vulnerability Details

CVE-2025-6895 - MelaPress Login Security 2.1.0 - 2.1.1 - Authentication Bypass to Privilege Escalation via get_valid_user_based_on_token Function

The Melapress Login Security plugin for WordPress is vulnerable to Authentication Bypass due to missing authorization within the get_valid_user_based_on_token() function in versions 2.1.0 to 2.1.1. This makes it possible for unauthenticated attackers who know an arbitrary user meta value to bypass authentication checks and log in as that user.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact total

Vendors	Products
Melapress	Melapress Login Security
Wordpress	Wordpress

No data.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/melapress-login-security/tags/2.1.1/app/class-melapress-login-security.php
https://plugins.trac.wordpress.org/browser/melapress-login-security/tags/2.1.1/app/modules/temporary-logins/class-temporary-logins.php
https://plugins.trac.wordpress.org/changeset/3328137
https://wordpress.org/plugins/melapress-login-security/#developers
https://www.wordfence.com/threat-intel/vulnerabilities/id/6f65d5c4-6f53-4836-9130-c9f4ed3be893?source=cve

History

Mon, 28 Jul 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 28 Jul 2025 13:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Melapress Melapress melapress Login Security Wordpress Wordpress wordpress
Vendors & Products		Melapress Melapress melapress Login Security Wordpress Wordpress wordpress

Sat, 26 Jul 2025 04:45:00 +0000

Type	Values Removed	Values Added
Description		The Melapress Login Security plugin for WordPress is vulnerable to Authentication Bypass due to missing authorization within the get_valid_user_based_on_token() function in versions 2.1.0 to 2.1.1. This makes it possible for unauthenticated attackers who know an arbitrary user meta value to bypass authentication checks and log in as that user.
Title		MelaPress Login Security 2.1.0 - 2.1.1 - Authentication Bypass to Privilege Escalation via get_valid_user_based_on_token Function
Weaknesses		CWE-288
References		https://plugins.trac.wordpress.org/browser/melapress-login-security/tags/2.1.1/app/class-melapress-login-security.php https://plugins.trac.wordpress.org/browser/melapress-login-security/tags/2.1.1/app/modules/temporary-logins/class-temporary-logins.php https://plugins.trac.wordpress.org/changeset/3328137 https://wordpress.org/plugins/melapress-login-security/#developers https://www.wordfence.com/threat-intel/vulnerabilities/id/6f65d5c4-6f53-4836-9130-c9f4ed3be893?source=cve
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-07-26T04:25:24.963Z

Updated: 2025-07-28T18:33:26.188Z

Reserved: 2025-06-28T20:49:01.041Z

Link: CVE-2025-6895

Vulnrichment

Updated: 2025-07-28T18:33:23.500Z

NVD

Status : Awaiting Analysis

Published: 2025-07-26T05:15:25.673

Modified: 2025-07-29T14:14:55.157

Link: CVE-2025-6895

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object