How is CVE-2026-49058 exploited?

Network reachability (required): The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the WordPress instance. Authentication (not-required): No account or session token is needed; the privilege escalation path is fully accessible to unauthenticated remote requests. Victim interaction (not-required): The attacker does not need any site user or administrator to take any action; exploitation is entirely attacker-driven. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race conditions, or environmental prerequisites.

What is the impact of CVE-2026-49058?

An attacker gains a privileged WordPress role, reading all stored content, user records, credentials, and private data held in the database. With write access, an attacker can modify or delete posts, pages, plugin settings, and user accounts, including creating new administrator accounts. Full integrity impact means an attacker can install or modify WordPress plugins and themes, enabling persistent backdoors or malicious code injection. Full availability impact means an attacker can disable the site, corrupt database content, or lock out legitimate administrators entirely.

Back to search

CRITICALCVE-2026-49058Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-49058: WordPress LoginPress Pro plugin <= 6.2.2 - Privilege Escalation vulnerability

Q: What is CVE-2026-49058?

An unauthenticated privilege escalation vulnerability affects the WordPress LoginPress Pro plugin at version 6.2.2 and earlier. The flaw is reachable over the network with no credentials required and no user interaction needed, making it trivially exploitable by any remote attacker who can reach the WordPress instance. Successful exploitation allows an attacker to escalate to a privileged role, gaining full read, write, and availability impact over the affected site. No upstream fix has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available the moment a fix version is released.

Q: Is CVE-2026-49058 patched?

Because no upstream fix version has been published, HarborGuard re-checks the Patchstack advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. In the interim, customers can use HarborGuard policy controls to flag any image containing LoginPress Pro 6.2.2 or earlier as non-compliant and block its promotion through the pipeline.

Unauthenticated Privilege Escalation in LoginPress Pro <= 6.2.2 versions.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unauthenticated privilege escalation vulnerability affects the WordPress LoginPress Pro plugin at version 6.2.2 and earlier. The flaw is reachable over the network with no credentials required and no user interaction needed, making it trivially exploitable by any remote attacker who can reach the WordPress instance. Successful exploitation allows an attacker to escalate to a privileged role, gaining full read, write, and availability impact over the affected site. No upstream fix has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available the moment a fix version is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: CVE-2026-49058 is ingested from upstream feeds (including Patchstack) within minutes of publication and matched against all customer images in connected registries and CI pipelines, including custom-built WordPress images that bundle LoginPress Pro.

Available

Triage

HarborGuard scores this CVE at CVSS 9.8 Critical and applies per-environment compliance policy weighting to prioritize and route alerts to the appropriate team inbox within each customer organization.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the Patchstack advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. In the interim, customers can use HarborGuard policy controls to flag any image containing LoginPress Pro 6.2.2 or earlier as non-compliant and block its promotion through the pipeline.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the WordPress instance.
AuthenticationNot required
No account or session token is needed; the privilege escalation path is fully accessible to unauthenticated remote requests.
Victim interactionNot required
The attacker does not need any site user or administrator to take any action; exploitation is entirely attacker-driven.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race conditions, or environmental prerequisites.

Blast Radius

An attacker gains a privileged WordPress role, reading all stored content, user records, credentials, and private data held in the database.
With write access, an attacker can modify or delete posts, pages, plugin settings, and user accounts, including creating new administrator accounts.
Full integrity impact means an attacker can install or modify WordPress plugins and themes, enabling persistent backdoors or malicious code injection.
Full availability impact means an attacker can disable the site, corrupt database content, or lock out legitimate administrators entirely.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix for CVE-2026-49058 exists yet, HarborGuard continuously re-evaluates the Patchstack advisory on every ingest cycle and will trigger an automatic patched-image rebuild the moment a fix version is published. For customers with auto-remediation enabled, that flow includes a regression-test run and a PR opened against affected workloads with a median time from CVE publication to merged patch PR of around 90 minutes for critical-severity issues once an upstream fix is available. In the meantime, compensating controls available through HarborGuard include flagging any image containing LoginPress Pro 6.2.2 or earlier as non-compliant to block pipeline promotion, applying network-policy isolation to restrict external access to affected WordPress deployments, and enabling egress filtering to limit lateral movement if a container is compromised. Customers who have not yet opted into auto-remediation can configure compliance policies manually inside the HarborGuard dashboard to enforce these controls today.

See how HarborGuard automates this

Affected packages

LoginPress / LoginPress Pro
≤ 6.2.2

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified