CVE-2025-6895
Published: 26 July 2025
Summary
CVE-2025-6895 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 29.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and patching of flaws like the missing authorization in the Melapress Login Security plugin, directly preventing authentication bypass exploitation.
Mandates enforcement mechanisms for approved authorizations, addressing the missing authorization checks in the get_valid_user_based_on_token() function that enable unauthenticated login.
Ensures robust identification and authentication for users, mitigating the plugin's vulnerability that allows unauthenticated attackers to impersonate users via known user meta values.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Auth bypass in public-facing WordPress plugin directly enables remote exploitation (T1190) and abuse of valid user accounts without proper credentials (T1078).
NVD Description
The Melapress Login Security plugin for WordPress is vulnerable to Authentication Bypass due to missing authorization within the get_valid_user_based_on_token() function in versions 2.1.0 to 2.1.1. This makes it possible for unauthenticated attackers who know an arbitrary user meta value to…
more
bypass authentication checks and log in as that user.
Deeper analysisAI
CVE-2025-6895 is an authentication bypass vulnerability in the Melapress Login Security plugin for WordPress, affecting versions 2.1.0 through 2.1.1. The flaw arises from missing authorization checks in the get_valid_user_based_on_token() function, which enables unauthenticated attackers who know an arbitrary user meta value to circumvent authentication mechanisms and log in as the targeted user. Published on 2025-07-26, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-288.
Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no required privileges or user interaction. By supplying a known user meta value, they can fully impersonate the account, gaining high confidentiality, integrity, and availability impacts, such as executing arbitrary code, modifying content, or escalating to administrative access on the WordPress site.
Security practitioners should review the provided references for mitigation guidance, including WordPress plugin trac repositories for affected code and patches (e.g., changeset 3328137), the plugin's developers page, and the Wordfence threat intelligence report detailing the vulnerability. Updating to a patched version beyond 2.1.1 is implied as the primary remediation based on standard plugin vulnerability workflows.
Details
- CWE(s)