Introduction
Unauthorized user deletions and privilege escalation on WordPress sites can result in immediate loss of access and data integrity. The Melapress Login Security plugin, a popular choice for strengthening WordPress authentication, was found vulnerable to a critical authentication bypass in versions 2.1.0 to 2.1.1, tracked as CVE-2025-6895. Attackers exploiting this flaw can bypass authentication and perform privileged operations, including arbitrary user deletion, without valid credentials.
Melapress develops security-focused plugins for WordPress, including tools for two-factor authentication, role management, and audit logging. Their products are widely adopted across the WordPress ecosystem, making vulnerabilities in their plugins highly impactful for site administrators and service providers.
Technical Information
CVE-2025-6895 arises from a missing authorization check in the get_valid_user_based_on_token function, which is responsible for validating temporary login tokens. In plugin versions 2.1.0 and 2.1.1, this function does not properly enforce authorization, allowing attackers to craft requests using arbitrary user meta values (such as user ID or email) to bypass authentication controls. This enables unauthorized login as any user, including administrators, if the attacker knows or can guess a valid user meta value.
Additionally, a missing capability check in the monitor_admin_actions function allows unauthenticated attackers to delete arbitrary users. This function is intended to track administrative actions but, in the vulnerable versions, does not verify user permissions before executing sensitive operations.
The root cause is the absence of proper authorization and capability checks in critical user management functions, exposing the site to privilege escalation and user deletion attacks.
Proof of Concept
In version 2.1.0 of the MelaPress Login Security and MelaPress Login Security Premium plugins for WordPress, a critical vulnerability was identified due to a missing capability check in the 'monitor_admin_actions' function. This oversight allows unauthenticated attackers to delete any user from the WordPress installation.
The 'monitor_admin_actions' function is designed to track administrative actions within the WordPress dashboard. However, in the affected version, this function lacks proper authorization checks, meaning it does not verify whether a user has the necessary permissions before executing certain actions. As a result, an attacker can craft a request to this function, bypassing authentication mechanisms and directly invoking user deletion operations.
By exploiting this vulnerability, an attacker can send a specially crafted request to the WordPress site, triggering the 'monitor_admin_actions' function to delete arbitrary user accounts. This could lead to unauthorized loss of data and potential disruption of site operations.
It's important to note that this vulnerability has been addressed in version 2.1.1 of the plugins. Users are strongly advised to update to the latest version to mitigate this security risk.
PoC Source: Wordfence Advisory
Patch Information
In response to the identified vulnerability in the MelaPress Login Security plugin, the development team released version 2.1.1, which addresses the issue by implementing a capability check within the monitor_admin_actions function. This update ensures that only authorized users can perform administrative actions, effectively preventing unauthorized user deletions.
The specific change involved adding a capability check to the monitor_admin_actions function to verify that the user has the appropriate permissions before executing administrative tasks. This modification restricts access to sensitive operations, thereby mitigating the risk of unauthorized actions by unauthenticated users.
To benefit from this security enhancement, users are strongly advised to update their MelaPress Login Security plugin to version 2.1.1 or later. Regularly updating plugins is a crucial practice in maintaining the security and integrity of your WordPress site.
Patch Sources:
Detection Methods
Detecting unauthorized user deletions due to the missing authorization vulnerability in MelaPress Login Security 2.1.0 involves monitoring for specific indicators of compromise (IoCs) and implementing targeted logging and alerting mechanisms. (secalerts.co)
Indicators of Compromise (IoCs):
- Unexpected User Deletions:
- Audit Logs: Regularly review WordPress audit logs for entries indicating user deletions, especially those initiated by non-administrative accounts or from IP addresses not associated with administrative activities.
- User Activity Logs: Monitor for patterns of user deletions that deviate from normal administrative behavior, such as multiple deletions in a short timeframe or deletions occurring during off-hours.
Log Analysis and Monitoring:
-
Enhanced Logging:
- Enable Detailed Logging: Configure WordPress and server logs to capture detailed information about user management actions, including the initiator's IP address, user agent, and the exact time of the action.
- Log Integrity: Ensure that logs are stored securely and are tamper-evident to maintain their reliability as a source of truth.
-
Automated Alerts:
- Threshold-Based Alerts: Set up alerts that trigger when user deletions exceed a predefined threshold within a specific period, indicating potential unauthorized activity.
- Anomaly Detection: Implement anomaly detection systems that can identify deviations from established patterns of user management activities.
Network Traffic Monitoring:
- Unusual API Calls:
- Monitor API Endpoints: Keep an eye on network traffic for unusual or unexpected calls to WordPress REST API endpoints related to user management, especially those originating from unrecognized IP addresses.
- Rate Limiting: Implement rate limiting on sensitive API endpoints to mitigate the risk of automated attacks.
File Integrity Monitoring:
- Core File Changes:
- Monitor Plugin Files: Use file integrity monitoring tools to detect unauthorized changes to the MelaPress Login Security plugin files, which could indicate exploitation attempts.
- Checksum Verification: Regularly verify the checksums of critical files against known good values to detect tampering.
User Behavior Analytics:
- Behavioral Baselines:
- Establish Norms: Develop baselines for typical administrative behaviors regarding user management.
- Deviation Alerts: Configure systems to alert when actions deviate significantly from these baselines, such as an administrator account performing user deletions from an unfamiliar location or device.
By implementing these detection strategies, administrators can identify and respond to unauthorized user deletions resulting from the missing authorization vulnerability in MelaPress Login Security 2.1.0, thereby enhancing the security posture of their WordPress installations.
Detection Sources:
Affected Systems and Versions
- Product: Melapress Login Security plugin for WordPress
- Vulnerable Versions: 2.1.0 and 2.1.1
- Configuration: Any WordPress installation using the above plugin versions is vulnerable, regardless of other configuration settings.
Vendor Security History
Melapress has previously addressed vulnerabilities related to missing authorization checks and privilege escalation in its plugins. The vendor has a track record of releasing timely patches and engaging in responsible disclosure practices. However, repeated issues with authorization logic highlight the need for ongoing code review and security testing in their development lifecycle.