Search criteria
8 vulnerabilities found for MelaPress Login Security by Melapress
CVE-2025-6895 (GCVE-0-2025-6895)
Vulnerability from cvelistv5 – Published: 2025-07-26 04:25 – Updated: 2025-07-28 18:33
VLAI?
Title
MelaPress Login Security 2.1.0 - 2.1.1 - Authentication Bypass to Privilege Escalation via get_valid_user_based_on_token Function
Summary
The Melapress Login Security plugin for WordPress is vulnerable to Authentication Bypass due to missing authorization within the get_valid_user_based_on_token() function in versions 2.1.0 to 2.1.1. This makes it possible for unauthenticated attackers who know an arbitrary user meta value to bypass authentication checks and log in as that user.
Severity ?
9.8 (Critical)
CWE
- CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| melapress | Melapress Login Security |
Affected:
2.1.0 , ≤ 2.1.1
(semver)
|
Credits
Kenneth Dunn
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6895",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-28T18:33:20.638684Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T18:33:26.188Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Melapress Login Security",
"vendor": "melapress",
"versions": [
{
"lessThanOrEqual": "2.1.1",
"status": "affected",
"version": "2.1.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kenneth Dunn"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Melapress Login Security plugin for WordPress is vulnerable to Authentication Bypass due to missing authorization within the get_valid_user_based_on_token() function in versions 2.1.0 to 2.1.1. This makes it possible for unauthenticated attackers who know an arbitrary user meta value to bypass authentication checks and log in as that user."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-26T04:25:24.963Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6f65d5c4-6f53-4836-9130-c9f4ed3be893?source=cve"
},
{
"url": "https://wordpress.org/plugins/melapress-login-security/#developers"
},
{
"url": "https://plugins.trac.wordpress.org/browser/melapress-login-security/tags/2.1.1/app/class-melapress-login-security.php"
},
{
"url": "https://plugins.trac.wordpress.org/browser/melapress-login-security/tags/2.1.1/app/modules/temporary-logins/class-temporary-logins.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3328137"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-06-28T21:05:41.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-07-25T16:23:06.000+00:00",
"value": "Disclosed"
}
],
"title": "MelaPress Login Security 2.1.0 - 2.1.1 - Authentication Bypass to Privilege Escalation via get_valid_user_based_on_token Function"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-6895",
"datePublished": "2025-07-26T04:25:24.963Z",
"dateReserved": "2025-06-28T20:49:01.041Z",
"dateUpdated": "2025-07-28T18:33:26.188Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39565 (GCVE-0-2025-39565)
Vulnerability from cvelistv5 – Published: 2025-04-16 12:44 – Updated: 2025-04-16 13:13
VLAI?
Title
WordPress MelaPress Login Security <= 2.1.0 - PHP Object Injection Vulnerability
Summary
Deserialization of Untrusted Data vulnerability in Melapress MelaPress Login Security allows Object Injection. This issue affects MelaPress Login Security: from n/a through 2.1.0.
Severity ?
6.6 (Medium)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Melapress | MelaPress Login Security |
Affected:
n/a , ≤ 2.1.0
(custom)
|
Credits
Phan Trong Quan - VNPT Cyber Immunity (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-39565",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-16T13:13:29.553472Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T13:13:53.278Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "melapress-login-security",
"product": "MelaPress Login Security",
"vendor": "Melapress",
"versions": [
{
"changes": [
{
"at": "2.1.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.1.0",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Phan Trong Quan - VNPT Cyber Immunity (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDeserialization of Untrusted Data vulnerability in Melapress MelaPress Login Security allows Object Injection.\u003c/p\u003e\u003cp\u003eThis issue affects MelaPress Login Security: from n/a through 2.1.0.\u003c/p\u003e"
}
],
"value": "Deserialization of Untrusted Data vulnerability in Melapress MelaPress Login Security allows Object Injection. This issue affects MelaPress Login Security: from n/a through 2.1.0."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T12:44:31.718Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/melapress-login-security/vulnerability/wordpress-melapress-login-security-2-1-0-php-object-injection-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress MelaPress Login Security plugin to the latest available version (at least 2.1.1)."
}
],
"value": "Update the WordPress MelaPress Login Security plugin to the latest available version (at least 2.1.1)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress MelaPress Login Security \u003c= 2.1.0 - PHP Object Injection Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-39565",
"datePublished": "2025-04-16T12:44:31.718Z",
"dateReserved": "2025-04-16T06:25:01.732Z",
"dateUpdated": "2025-04-16T13:13:53.278Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-2876 (GCVE-0-2025-2876)
Vulnerability from cvelistv5 – Published: 2025-04-08 11:11 – Updated: 2025-04-08 12:59
VLAI?
Title
MelaPress Login Security and MelaPress Login Security Premium 2.1.0 - Missing Authorization to Unauthenticated Arbitrary User Deletion
Summary
The MelaPress Login Security and MelaPress Login Security Premium plugins for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'monitor_admin_actions' function in version 2.1.0. This makes it possible for unauthenticated attackers to delete any user.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| melapress | MelaPress Login Security Premium |
Affected:
2.1.0
|
|||||||
|
|||||||||
Credits
Michelle Porter
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2876",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-08T12:58:43.011592Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-08T12:59:23.581Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MelaPress Login Security Premium",
"vendor": "melapress",
"versions": [
{
"status": "affected",
"version": "2.1.0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MelaPress Login Security",
"vendor": "melapress",
"versions": [
{
"status": "affected",
"version": "2.1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michelle Porter"
}
],
"descriptions": [
{
"lang": "en",
"value": "The MelaPress Login Security and MelaPress Login Security Premium plugins for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the \u0027monitor_admin_actions\u0027 function in version 2.1.0. This makes it possible for unauthenticated attackers to delete any user."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-08T11:11:31.603Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/559cbc69-85b6-4bad-9bb2-26d64195ba7e?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/melapress-login-security/trunk/app/modules/temporary-logins/class-temporary-logins.php#L71"
},
{
"url": "https://melapress.com/wordpress-login-security/releases/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3267748/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-04-07T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "MelaPress Login Security and MelaPress Login Security Premium 2.1.0 - Missing Authorization to Unauthenticated Arbitrary User Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-2876",
"datePublished": "2025-04-08T11:11:31.603Z",
"dateReserved": "2025-03-27T15:54:09.474Z",
"dateUpdated": "2025-04-08T12:59:23.581Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-35650 (GCVE-0-2024-35650)
Vulnerability from cvelistv5 – Published: 2024-06-10 15:43 – Updated: 2024-08-02 03:14
VLAI?
Title
WordPress MelaPress Login Security plugin <= 1.3.0 - Remote File Inclusion vulnerability
Summary
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Melapress MelaPress Login Security allows PHP Remote File Inclusion.This issue affects MelaPress Login Security: from n/a through 1.3.0.
Severity ?
4.9 (Medium)
CWE
- CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Melapress | MelaPress Login Security |
Affected:
n/a , ≤ 1.3.0
(custom)
|
Credits
YC_Infosec (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-35650",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-10T17:02:57.445913Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T17:03:08.459Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:14:53.659Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/melapress-login-security/wordpress-melapress-login-security-plugin-1-3-0-remote-file-inclusion-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "melapress-login-security",
"product": "MelaPress Login Security",
"vendor": "Melapress",
"versions": [
{
"changes": [
{
"at": "1.3.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.3.0",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "YC_Infosec (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in Melapress MelaPress Login Security allows PHP Remote File Inclusion.\u003cp\u003eThis issue affects MelaPress Login Security: from n/a through 1.3.0.\u003c/p\u003e"
}
],
"value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in Melapress MelaPress Login Security allows PHP Remote File Inclusion.This issue affects MelaPress Login Security: from n/a through 1.3.0."
}
],
"impacts": [
{
"capecId": "CAPEC-193",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-193 PHP Remote File Inclusion"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-98",
"description": "CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T15:43:24.549Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/melapress-login-security/wordpress-melapress-login-security-plugin-1-3-0-remote-file-inclusion-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 1.3.1 or a higher version."
}
],
"value": "Update to 1.3.1 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress MelaPress Login Security plugin \u003c= 1.3.0 - Remote File Inclusion vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-35650",
"datePublished": "2024-06-10T15:43:24.549Z",
"dateReserved": "2024-05-17T10:08:10.962Z",
"dateUpdated": "2024-08-02T03:14:53.659Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-6895 (GCVE-0-2025-6895)
Vulnerability from nvd – Published: 2025-07-26 04:25 – Updated: 2025-07-28 18:33
VLAI?
Title
MelaPress Login Security 2.1.0 - 2.1.1 - Authentication Bypass to Privilege Escalation via get_valid_user_based_on_token Function
Summary
The Melapress Login Security plugin for WordPress is vulnerable to Authentication Bypass due to missing authorization within the get_valid_user_based_on_token() function in versions 2.1.0 to 2.1.1. This makes it possible for unauthenticated attackers who know an arbitrary user meta value to bypass authentication checks and log in as that user.
Severity ?
9.8 (Critical)
CWE
- CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| melapress | Melapress Login Security |
Affected:
2.1.0 , ≤ 2.1.1
(semver)
|
Credits
Kenneth Dunn
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6895",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-28T18:33:20.638684Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T18:33:26.188Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Melapress Login Security",
"vendor": "melapress",
"versions": [
{
"lessThanOrEqual": "2.1.1",
"status": "affected",
"version": "2.1.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kenneth Dunn"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Melapress Login Security plugin for WordPress is vulnerable to Authentication Bypass due to missing authorization within the get_valid_user_based_on_token() function in versions 2.1.0 to 2.1.1. This makes it possible for unauthenticated attackers who know an arbitrary user meta value to bypass authentication checks and log in as that user."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-26T04:25:24.963Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6f65d5c4-6f53-4836-9130-c9f4ed3be893?source=cve"
},
{
"url": "https://wordpress.org/plugins/melapress-login-security/#developers"
},
{
"url": "https://plugins.trac.wordpress.org/browser/melapress-login-security/tags/2.1.1/app/class-melapress-login-security.php"
},
{
"url": "https://plugins.trac.wordpress.org/browser/melapress-login-security/tags/2.1.1/app/modules/temporary-logins/class-temporary-logins.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3328137"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-06-28T21:05:41.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-07-25T16:23:06.000+00:00",
"value": "Disclosed"
}
],
"title": "MelaPress Login Security 2.1.0 - 2.1.1 - Authentication Bypass to Privilege Escalation via get_valid_user_based_on_token Function"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-6895",
"datePublished": "2025-07-26T04:25:24.963Z",
"dateReserved": "2025-06-28T20:49:01.041Z",
"dateUpdated": "2025-07-28T18:33:26.188Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39565 (GCVE-0-2025-39565)
Vulnerability from nvd – Published: 2025-04-16 12:44 – Updated: 2025-04-16 13:13
VLAI?
Title
WordPress MelaPress Login Security <= 2.1.0 - PHP Object Injection Vulnerability
Summary
Deserialization of Untrusted Data vulnerability in Melapress MelaPress Login Security allows Object Injection. This issue affects MelaPress Login Security: from n/a through 2.1.0.
Severity ?
6.6 (Medium)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Melapress | MelaPress Login Security |
Affected:
n/a , ≤ 2.1.0
(custom)
|
Credits
Phan Trong Quan - VNPT Cyber Immunity (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-39565",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-16T13:13:29.553472Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T13:13:53.278Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "melapress-login-security",
"product": "MelaPress Login Security",
"vendor": "Melapress",
"versions": [
{
"changes": [
{
"at": "2.1.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.1.0",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Phan Trong Quan - VNPT Cyber Immunity (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDeserialization of Untrusted Data vulnerability in Melapress MelaPress Login Security allows Object Injection.\u003c/p\u003e\u003cp\u003eThis issue affects MelaPress Login Security: from n/a through 2.1.0.\u003c/p\u003e"
}
],
"value": "Deserialization of Untrusted Data vulnerability in Melapress MelaPress Login Security allows Object Injection. This issue affects MelaPress Login Security: from n/a through 2.1.0."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T12:44:31.718Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/melapress-login-security/vulnerability/wordpress-melapress-login-security-2-1-0-php-object-injection-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress MelaPress Login Security plugin to the latest available version (at least 2.1.1)."
}
],
"value": "Update the WordPress MelaPress Login Security plugin to the latest available version (at least 2.1.1)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress MelaPress Login Security \u003c= 2.1.0 - PHP Object Injection Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-39565",
"datePublished": "2025-04-16T12:44:31.718Z",
"dateReserved": "2025-04-16T06:25:01.732Z",
"dateUpdated": "2025-04-16T13:13:53.278Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-2876 (GCVE-0-2025-2876)
Vulnerability from nvd – Published: 2025-04-08 11:11 – Updated: 2025-04-08 12:59
VLAI?
Title
MelaPress Login Security and MelaPress Login Security Premium 2.1.0 - Missing Authorization to Unauthenticated Arbitrary User Deletion
Summary
The MelaPress Login Security and MelaPress Login Security Premium plugins for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'monitor_admin_actions' function in version 2.1.0. This makes it possible for unauthenticated attackers to delete any user.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| melapress | MelaPress Login Security Premium |
Affected:
2.1.0
|
|||||||
|
|||||||||
Credits
Michelle Porter
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2876",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-08T12:58:43.011592Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-08T12:59:23.581Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MelaPress Login Security Premium",
"vendor": "melapress",
"versions": [
{
"status": "affected",
"version": "2.1.0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MelaPress Login Security",
"vendor": "melapress",
"versions": [
{
"status": "affected",
"version": "2.1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michelle Porter"
}
],
"descriptions": [
{
"lang": "en",
"value": "The MelaPress Login Security and MelaPress Login Security Premium plugins for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the \u0027monitor_admin_actions\u0027 function in version 2.1.0. This makes it possible for unauthenticated attackers to delete any user."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-08T11:11:31.603Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/559cbc69-85b6-4bad-9bb2-26d64195ba7e?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/melapress-login-security/trunk/app/modules/temporary-logins/class-temporary-logins.php#L71"
},
{
"url": "https://melapress.com/wordpress-login-security/releases/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3267748/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-04-07T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "MelaPress Login Security and MelaPress Login Security Premium 2.1.0 - Missing Authorization to Unauthenticated Arbitrary User Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-2876",
"datePublished": "2025-04-08T11:11:31.603Z",
"dateReserved": "2025-03-27T15:54:09.474Z",
"dateUpdated": "2025-04-08T12:59:23.581Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-35650 (GCVE-0-2024-35650)
Vulnerability from nvd – Published: 2024-06-10 15:43 – Updated: 2024-08-02 03:14
VLAI?
Title
WordPress MelaPress Login Security plugin <= 1.3.0 - Remote File Inclusion vulnerability
Summary
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Melapress MelaPress Login Security allows PHP Remote File Inclusion.This issue affects MelaPress Login Security: from n/a through 1.3.0.
Severity ?
4.9 (Medium)
CWE
- CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Melapress | MelaPress Login Security |
Affected:
n/a , ≤ 1.3.0
(custom)
|
Credits
YC_Infosec (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-35650",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-10T17:02:57.445913Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T17:03:08.459Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:14:53.659Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/melapress-login-security/wordpress-melapress-login-security-plugin-1-3-0-remote-file-inclusion-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "melapress-login-security",
"product": "MelaPress Login Security",
"vendor": "Melapress",
"versions": [
{
"changes": [
{
"at": "1.3.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.3.0",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "YC_Infosec (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in Melapress MelaPress Login Security allows PHP Remote File Inclusion.\u003cp\u003eThis issue affects MelaPress Login Security: from n/a through 1.3.0.\u003c/p\u003e"
}
],
"value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in Melapress MelaPress Login Security allows PHP Remote File Inclusion.This issue affects MelaPress Login Security: from n/a through 1.3.0."
}
],
"impacts": [
{
"capecId": "CAPEC-193",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-193 PHP Remote File Inclusion"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-98",
"description": "CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T15:43:24.549Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/melapress-login-security/wordpress-melapress-login-security-plugin-1-3-0-remote-file-inclusion-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 1.3.1 or a higher version."
}
],
"value": "Update to 1.3.1 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress MelaPress Login Security plugin \u003c= 1.3.0 - Remote File Inclusion vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-35650",
"datePublished": "2024-06-10T15:43:24.549Z",
"dateReserved": "2024-05-17T10:08:10.962Z",
"dateUpdated": "2024-08-02T03:14:53.659Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}