CVE-2025-6895 is a critical authentication bypass vulnerability affecting the Melapress Login Security plugin for WordPress, specifically versions 2.1.0 to 2.1.1. The vulnerability stems from a missing authorization check within the get_valid_user_based_on_token() function. This flaw allows unauthenticated attackers who can guess or know an arbitrary user meta value to bypass the normal authentication mechanisms and log in as that user without providing valid credentials. The vulnerability is classified under CWE-288, which relates to authentication bypass using an alternate path or channel. The CVSS v3.1 base score of 9.8 reflects the high severity, with an attack vector that is network-based (AV:N), requiring no privileges (PR:N) or user interaction (UI:N), and impacting confidentiality, integrity, and availability (C:H/I:H/A:H). This means an attacker can remotely exploit this vulnerability without any prior access or interaction, gaining full control over user accounts, including potentially administrative accounts. Since WordPress is a widely used content management system and Melapress Login Security is a plugin designed to enhance login security, this vulnerability undermines the fundamental security premise of the plugin, effectively negating its protective purpose. No patches are currently listed, and no known exploits in the wild have been reported yet, but the critical nature of the flaw and ease of exploitation make it a high-risk issue that could be rapidly weaponized once details become public. The vulnerability's impact extends beyond individual user accounts, as compromised accounts can lead to site defacement, data theft, malware injection, or pivoting to other internal systems.

For European organizations, this vulnerability poses a significant threat, especially for those relying on WordPress sites secured by the Melapress Login Security plugin. The ability for unauthenticated attackers to bypass authentication and assume user identities can lead to severe data breaches, loss of customer trust, and regulatory non-compliance under GDPR. Confidential information stored or processed via compromised accounts can be exfiltrated or manipulated, leading to financial losses and reputational damage. The integrity of websites can be compromised, resulting in defacement or distribution of malicious content to visitors. Availability may also be affected if attackers disrupt services or lock out legitimate users. Organizations in sectors such as finance, healthcare, e-commerce, and government are particularly at risk due to the sensitive nature of their data and the regulatory scrutiny they face. Additionally, the vulnerability could be exploited to launch further attacks within organizational networks if WordPress sites serve as entry points. Given the critical severity and ease of exploitation, European organizations must prioritize addressing this vulnerability to maintain operational security and compliance.

Immediate mitigation steps include disabling or uninstalling the Melapress Login Security plugin version 2.1.0 or 2.1.1 until a security patch is released. Organizations should monitor official vendor channels for updates and apply patches promptly once available. In the interim, implement compensating controls such as restricting access to WordPress admin interfaces via IP whitelisting or VPN-only access to reduce exposure. Enable multi-factor authentication (MFA) on all WordPress accounts to add an additional layer of security that cannot be bypassed by this vulnerability. Conduct thorough audits of user meta values and remove or obscure any predictable or sensitive meta keys that could be exploited. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the vulnerable function. Regularly review authentication logs for unusual login patterns or access attempts. Finally, educate site administrators about the risks and signs of compromise related to this vulnerability to enable rapid detection and response.