Vulnerabilities and security researches formelapress-login-security melapress-login-security

Jun 07, 2024

CVE, Research URL: CVE-2024-35650
Home page URL: Security reports for MelaPress Login Security
Application: MelaPress Login Security
Date: Jun 10, 2024
Research Description: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Melapress MelaPress Login Security allows PHP Remote File Inclusion.This issue affects MelaPress Login Security: from n/a through 1.3.0.
Affected versions: max 1.3.1.
Status: vulnerable

Apr 09, 2025

CVE, Research URL: CVE-2025-2876
Home page URL: Security reports for MelaPress Login Security
Application: MelaPress Login Security
Date: Apr 08, 2025
Research Description: The MelaPress Login Security and MelaPress Login Security Premium plugins for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'monitor_admin_actions' function in version 2.1.0. This makes it possible for unauthenticated attackers to delete any user.
Affected versions: max 2.1.1.
Status: vulnerable

Apr 18, 2025

CVE, Research URL: CVE-2025-39565
Home page URL: Security reports for MelaPress Login Security
Application: MelaPress Login Security
Date: Apr 16, 2025
Research Description: MelaPress Login Security [melapress-login-security] < 2.1.1 CVE-2025-39565 [en] Deserialization of Untrusted Data vulnerability in Melapress MelaPress Login Security allows Object Injection. This issue affects MelaPress Login Security: from n/a through 2.1.0.
Affected versions: max 2.1.1.
Status: vulnerable

Jul 26, 2025

CVE, Research URL: CVE-2025-6895
Home page URL: Security reports for MelaPress Login Security
Application: MelaPress Login Security
Date: Jul 26, 2025
Research Description: The Melapress Login Security plugin for WordPress is vulnerable to Authentication Bypass due to missing authorization within the get_valid_user_based_on_token() function in versions 2.1.0 to 2.1.1. This makes it possible for unauthenticated attackers who know an arbitrary user meta value to bypass authentication checks and log in as that user.
Affected versions: max 2.2.0.
Status: vulnerable