CVE-2025-2876: 
WordPress vulnerability analysis and mitigation

The MelaPress Login Security and MelaPress Login Security Premium plugins for WordPress contain a vulnerability (CVE-2025-2876) discovered in version 2.1.0. The vulnerability stems from a missing capability check in the 'monitoradminactions' function, which allows unauthenticated attackers to delete any user from the WordPress installation (NVD).

The vulnerability exists due to improper authorization checks in the 'monitoradminactions' function within the temporary-logins module. The function fails to properly validate user capabilities before executing user deletion operations. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. The issue has been classified as CWE-862: Missing Authorization (NVD, Wordfence).

The vulnerability allows unauthenticated attackers to delete any user account from the WordPress installation, potentially leading to unauthorized loss of data and denial of service for legitimate users (NVD).

The vulnerability has been addressed in a subsequent release. Website administrators are advised to update their MelaPress Login Security and MelaPress Login Security Premium plugins to the latest version. The fix includes proper capability checks before executing user deletion operations (MelaPress).