WP-Safety

Melapress Login Security Security & Risk Analysis

wordpress.org/plugins/melapress-login-security

Enforce WordPress login and password security policies to protect user accounts and prevent unauthorized logins.

2K active installs v2.3.0 PHP 7.3+ WP 5.5+ Updated Feb 9, 2026
brute-forcelimit-login-attemptslimit-loginsloginlogin-security
91
A · Safe
CVEs total4
Unpatched0
Last CVEJul 25, 2025
Plugin page Download
Safety Verdict

Is Melapress Login Security Safe to Use in 2026?

Generally Safe

Score 91/100

Melapress Login Security has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: Jul 25, 2025Updated 1mo ago
Risk Assessment

The melapress-login-security plugin v2.3.0 presents a mixed security posture. On the positive side, the plugin demonstrates good practices regarding SQL query sanitization, utilizing prepared statements for all queries and a high percentage of properly escaped output. The presence of numerous nonce and capability checks also suggests an effort to secure certain functionalities. However, significant concerns arise from the substantial attack surface, particularly the 14 AJAX handlers, with 11 of them lacking authentication checks. This directly exposes a large portion of the plugin's functionality to unauthorized access.

The vulnerability history of this plugin is a major red flag. With four known CVEs, including one critical and one high severity, and common vulnerability types such as Authentication Bypass, Deserialization of Untrusted Data, and PHP Remote File Inclusion, it indicates a recurring pattern of security weaknesses. The fact that the last vulnerability was very recent (2025-07-25) and is listed as 'currently unpatched' (though the data states 0 unpatched, this is a contradiction that needs clarification, assuming the last vulnerability reported is indeed a real issue and the 'unpatched' count is an error) is highly concerning, suggesting that attackers may have exploitable vulnerabilities available.

While the taint analysis shows no critical or high severity unsanitized paths in the current version, the past vulnerability patterns and the substantial unprotected attack surface are strong indicators of potential future risks. The presence of `unserialize` without immediate context on its usage is also a point of caution, especially given the plugin's history with deserialization vulnerabilities. In conclusion, while the plugin has some good security implementations, the combination of a large unprotected attack surface and a history of severe vulnerabilities warrants significant caution.

Key Concerns

  • 11 unprotected AJAX handlers
  • 1 critical historical CVE
  • 1 high historical CVE
  • 2 medium historical CVEs
  • Common vulnerability types: Auth Bypass, Deserialization, RFI
  • Dangerous function: unserialize
  • Bundled library: Freemius
Vulnerabilities
4

Melapress Login Security Security Vulnerabilities

CVEs by Year

1 CVE in 2024
2024
3 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

Critical
1
High
1
Medium
2

4 total CVEs

CVE-2025-6895critical · 9.8Authentication Bypass Using an Alternate Path or Channel

MelaPress Login Security 2.1.0 - 2.1.1 - Authentication Bypass to Privilege Escalation via get_valid_user_based_on_token Function

Jul 25, 2025 Patched in 2.2.0 (1d)
CVE-2025-39565high · 7.2Deserialization of Untrusted Data

MelaPress Login Security <= 2.1.0 - Authenticated (Administrator+) PHP Object Injection

Apr 16, 2025 Patched in 2.1.1 (7d)
CVE-2025-2876medium · 5.3Missing Authorization

MelaPress Login Security and MelaPress Login Security Premium 2.1.0 - Missing Authorization to Unauthenticated Arbitrary User Deletion

Apr 7, 2025 Patched in 2.1.1 (1d)
CVE-2024-35650medium · 6.6Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

MelaPress Login Security <= 1.3.0 - Authenticated (Admin+) Remote File Inclusion

Jun 3, 2024 Patched in 1.3.1 (9d)
Code Analysis
Analyzed Mar 16, 2026

Melapress Login Security Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
26 prepared
Unescaped Output
72
467 escaped
Nonce Checks
21
Capability Checks
22
File Operations
1
External Requests
5
Bundled Libraries
1

Dangerous Functions Found

unserialize$value_arr = unserialize( $setting_value, array( 'allowed_classes' => false ) ); // phpcs:ignoapp\helpers\class-settings-importer.php:447

Bundled Libraries

Freemius

SQL Query Safety

100% prepared26 total queries

Output Escaping

87% escaped539 total outputs
Data Flows
All sanitized

Data Flow Analysis

7 flows
display_admin_notices (admin\classes\class-user-helper.php:395)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
11 unprotected

Melapress Login Security Attack Surface

Entry Points18
Unprotected11

AJAX Handlers 14

authwp_ajax_get_users_rolesadmin\class-mls-multisite-admin.php:51
authwp_ajax_mls_send_test_emailadmin\class-mls-multisite-admin.php:52
authwp_ajax_mls_process_resetadmin\class-mls-multisite-admin.php:53
authwp_ajax_dismiss_mls_update_noticeadmin\class-mls-multisite-admin.php:84
authwp_ajax_mls_begin_migrationadmin\class-mls-multisite-admin.php:85
authwp_ajax_mls_get_migration_statusadmin\class-mls-multisite-admin.php:86
authwp_ajax_mls_send_summary_emailapp\crons\class-summaryemail.php:60
authwp_ajax_ppm_ajax_session_expiredapp\enforcers\class-check-user-expiry.php:62
authwp_ajax_dismiss_password_expiry_soon_noticeapp\enforcers\class-check-user-expiry.php:68
authwp_ajax_generate-passwordapp\helpers\class-wp-password-gen.php:60
noprivwp_ajax_generate-passwordapp\helpers\class-wp-password-gen.php:61
authwp_ajax_mls_edd_activate_licenseapp\Licensing\class-edd-provider.php:107
authwp_ajax_mls_edd_deactivate_licenseapp\Licensing\class-edd-provider.php:108
authwp_ajax_mls_unlock_inactive_userapp\modules\failed-logins\class-unlock-inactive-user-ajax.php:71

Shortcodes 4

[mls_user_password_expiry_notice] app\enforcers\class-check-user-expiry.php:69
[ppmwp-custom-form] app\enforcers\class-shortcodes.php:47
[mls-custom-form] app\enforcers\class-shortcodes.php:48
[mls-gdpr-banner] app\login-page-control\class-login-page-control.php:78
WordPress Hooks 111
actionnetwork_admin_menuadmin\class-mls-multisite-admin.php:48
actionadmin_footeradmin\class-mls-multisite-admin.php:56
actionadmin_footeradmin\class-mls-multisite-admin.php:57
actionadmin_enqueue_scriptsadmin\class-mls-multisite-admin.php:70
actionnetwork_admin_menuadmin\class-mls-multisite-admin.php:74
actionnetwork_admin_noticesadmin\class-mls-multisite-admin.php:77
filtermls_settings_page_nav_tabsadmin\class-mls-multisite-admin.php:91
filtermls_settings_page_content_tabsadmin\class-mls-multisite-admin.php:92
actionnetwork_admin_noticesadmin\class-mls-multisite-admin.php:205
filtercron_schedulesapp\crons\class-summaryemail.php:50
actionmls_send_summary_emailapp\crons\class-summaryemail.php:136
actionadmin_initapp\enforcers\class-check-user-expiry.php:59
actionwp_loadedapp\enforcers\class-check-user-expiry.php:60
actionadmin_noticesapp\enforcers\class-check-user-expiry.php:67
filterwp_authenticate_userapp\enforcers\class-check-user-expiry.php:93
actionwp_enqueue_scriptsapp\enforcers\class-forms.php:94
actionload-user-edit.phpapp\enforcers\class-forms.php:162
actionload-profile.phpapp\enforcers\class-forms.php:164
actionload-user-new.phpapp\enforcers\class-forms.php:168
actionadmin_print_styles-user-edit.phpapp\enforcers\class-forms.php:171
actionadmin_print_styles-profile.phpapp\enforcers\class-forms.php:172
actionadmin_print_styles-user-new.phpapp\enforcers\class-forms.php:173
actionvalidate_password_resetapp\enforcers\class-forms.php:174
actionadmin_print_styles-user-edit.phpapp\enforcers\class-forms.php:177
actionadmin_print_styles-profile.phpapp\enforcers\class-forms.php:178
actionadmin_print_styles-user-new.phpapp\enforcers\class-forms.php:179
actionvalidate_password_resetapp\enforcers\class-forms.php:180
actionvalidate_password_resetapp\enforcers\class-forms.php:184
actionresetpass_formapp\enforcers\class-forms.php:185
actionwp_print_scriptsapp\enforcers\class-forms.php:189
filterpassword_hintapp\enforcers\class-forms.php:281
filterpassword_hintapp\enforcers\class-forms.php:508
actionvalidate_password_resetapp\enforcers\class-new-user.php:36
actionuser_profile_update_errorsapp\enforcers\class-new-user.php:37
filterlogin_redirectapp\enforcers\class-new-user.php:38
filterlogin_messageapp\enforcers\class-new-user.php:99
actionvalidate_password_resetapp\enforcers\class-password-check.php:103
actionuser_profile_update_errorsapp\enforcers\class-password-check.php:108
actionwp_authenticateapp\enforcers\class-reset-passwords.php:38
filterpassword_reset_expirationapp\enforcers\class-reset-passwords.php:42
filterallow_password_resetapp\enforcers\class-reset-passwords.php:44
filtersend_retrieve_password_emailapp\enforcers\class-reset-passwords.php:45
filteruser_row_actionsapp\enforcers\class-reset-passwords.php:46
actionlostpassword_errorsapp\enforcers\class-reset-passwords.php:47
filtermepr-validate-forgot-passwordapp\enforcers\class-reset-passwords.php:48
actionppm_settings_additional_settingsapp\enforcers\class-restrict-login-credentials.php:35
filterauthenticateapp\enforcers\class-restrict-login-credentials.php:36
actionppm_message_settings_markup_footerapp\enforcers\class-restrict-login-credentials.php:37
actionuser_registerapp\helpers\class-password-history.php:44
actioninvite_userapp\helpers\class-password-history.php:45
actionprofile_updateapp\helpers\class-password-history.php:46
actionmls_apply_forced_reset_usermetaapp\helpers\class-password-history.php:49
actionpassword_resetapp\helpers\class-password-history.php:61
actionafter_password_resetapp\helpers\class-password-history.php:62
actionretrieve_password_keyapp\helpers\class-password-history.php:226
actionadmin_enqueue_scriptsapp\helpers\class-pointer.php:35
actionadmin_enqueue_scriptsapp\helpers\class-wp-admin-pointer.php:61
actionadmin_print_footer_scriptsapp\helpers\class-wp-admin-pointer.php:62
actionvalidate_password_resetapp\helpers\class-wp-password-gen.php:41
actionuser_new_form_tagapp\helpers\class-wp-password-gen.php:44
actionpersonal_optionsapp\helpers\class-wp-password-gen.php:47
actionadmin_initapp\helpers\class-wp-password-gen.php:50
actionlogin_initapp\helpers\class-wp-password-gen.php:51
filterrandom_passwordapp\helpers\class-wp-password-gen.php:74
actionadmin_initapp\Licensing\class-edd-provider.php:98
actionadmin_initapp\Licensing\class-edd-provider.php:101
actionadmin_noticesapp\Licensing\class-edd-provider.php:104
actionadmin_initapp\Licensing\class-freemius-provider.php:59
actionadmin_initapp\Licensing\class-freemius-provider.php:60
actionmelapress_login_security_freemius_loadedapp\Licensing\class-freemius-provider.php:61
actionadmin_initapp\Licensing\class-licensing-factory.php:74
actionadmin_noticesapp\Licensing\class-licensing-factory.php:211
filtersite_urlapp\login-page-control\class-login-page-control.php:62
filternetwork_site_urlapp\login-page-control\class-login-page-control.php:63
filterwp_redirectapp\login-page-control\class-login-page-control.php:64
filtersite_option_welcome_email_contentapp\login-page-control\class-login-page-control.php:65
filteruser_request_action_email_contentapp\login-page-control\class-login-page-control.php:66
filterlogin_urlapp\login-page-control\class-login-page-control.php:68
filterauthenticateapp\login-page-control\class-login-page-control.php:71
filterlogin_footerapp\login-page-control\class-login-page-control.php:77
actionppm_settings_additional_settingsapp\modules\class-security-prompt.php:60
actionlostpassword_formapp\modules\class-security-prompt.php:67
actionlostpassword_errorsapp\modules\class-security-prompt.php:68
actionadmin_enqueue_scriptsapp\modules\class-security-prompt.php:69
actionwp_login_failedapp\modules\class-security-prompt.php:70
actionlogin_formapp\modules\class-security-prompt.php:71
filterwp_authenticate_userapp\modules\class-security-prompt.php:72
filterlogin_messageapp\modules\class-security-prompt.php:73
actionshow_user_profileapp\modules\class-security-prompt.php:77
actionedit_user_profileapp\modules\class-security-prompt.php:78
actionpersonal_options_updateapp\modules\class-security-prompt.php:79
actionedit_user_profile_updateapp\modules\class-security-prompt.php:80
filteradmin_noticesapp\modules\class-security-prompt.php:83
actionppm_message_settings_markup_footerapp\modules\class-security-prompt.php:84
actionppm_settings_additional_settingsapp\modules\failed-logins\class-failed-logins.php:39
actionwp_loginapp\modules\failed-logins\class-failed-logins.php:46
filterlearndash_safe_redirect_locationapp\modules\failed-logins\class-failed-logins.php:48
actionmepr-login-form-before-submitapp\modules\failed-logins\class-failed-logins.php:50
actionadmin_initapp\modules\failed-logins\class-failed-logins.php:51
actionmls_enqueue_admin_scriptsapp\modules\failed-logins\class-failed-logins.php:52
actionppm_settings_additional_settingsapp\modules\restrict-logins\restrict-logins-boot.php:14
actionppm_message_settings_markup_footerapp\modules\restrict-logins\restrict-logins-boot.php:15
actionshow_user_profileapp\modules\restrict-logins\restrict-logins-boot.php:16
actionedit_user_profileapp\modules\restrict-logins\restrict-logins-boot.php:17
actionpersonal_options_updateapp\modules\restrict-logins\restrict-logins-boot.php:18
actionedit_user_profile_updateapp\modules\restrict-logins\restrict-logins-boot.php:19
actionauthenticateapp\modules\restrict-logins\restrict-logins-boot.php:20
actionadmin_noticesapp\modules\temporary-logins\class-temporary-logins.php:153
actionadmin_noticesapp\modules\temporary-logins\class-temporary-logins.php:162
actionadmin_noticesapp\modules\temporary-logins\class-temporary-logins.php:171
actionbefore_woocommerce_initmelapress-login-security.php:351

Scheduled Events 2

mls_send_summary_email
mls_send_summary_email
Maintenance & Trust

Melapress Login Security Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 9, 2026
PHP min version7.3
Downloads25K

Community Trust

Rating100/100
Number of ratings17
Active installs2K
Alternatives

Melapress Login Security Alternatives

Simple Login Guard – Monitor & Block Attempts

Simple Login Guard – Monitor & Block Attempts

simple-login-guard

A
100

Monitor failed login attempts and automatically block IPs after multiple failures. Lightweight and easy to use.

0 No CVEs
Limit Login Attempts Reloaded – Login Security, Brute Force Protection, Firewall

Limit Login Attempts Reloaded – Login Security, Brute Force Protection, Firewall

limit-login-attempts-reloaded

A
98

Block excessive login attempts and protect your site against brute force attacks. Simple, yet powerful tools to improve site performance.

2.0M 4 CVEs
Titan Anti-spam & Security

Titan Anti-spam & Security

anti-spam

A
98

Block spam comments, defend against login attempts, and strengthen site security with anti-spam, brute-force protection, and two-factor authentication &hellip;

60K 3 CVEs
Kaya Login Captcha

Kaya Login Captcha

kaya-login-captcha

A
100

Adds a simple captcha on login form, register form and lost-password form.

200 No CVEs
Jeba Limit Login Attempts

Jeba Limit Login Attempts

jeba-limit-login-attempts

A
85

This is Jeba Limit Login Attempts wordpress plugin. Automatically lock the system for 30 minutes if a user attempts to login and fails after 3 tries.

100 No CVEs
Developer Profile

Melapress Login Security Developer Profile

Melapress

6 plugins · 417K total installs

74
trust score
Avg Security Score
93/100
Avg Patch Time
540 days
View full developer profile
Detection Fingerprints

How We Detect Melapress Login Security

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/melapress-login-security/assets/dist/css/frontend.css/wp-content/plugins/melapress-login-security/assets/dist/js/frontend.js/wp-content/plugins/melapress-login-security/assets/dist/css/admin.css/wp-content/plugins/melapress-login-security/assets/dist/js/admin.js
Script Paths
/wp-content/plugins/melapress-login-security/assets/dist/js/frontend.js/wp-content/plugins/melapress-login-security/assets/dist/js/admin.js
Version Parameters
melapress-login-security/assets/dist/css/frontend.css?ver=melapress-login-security/assets/dist/js/frontend.js?ver=melapress-login-security/assets/dist/css/admin.css?ver=melapress-login-security/assets/dist/js/admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
mls-login-security
Data Attributes
data-mls-login-form
JS Globals
mls_frontend_data
REST Endpoints
/wp-json/melapress/v1/login-security
FAQ

Frequently Asked Questions about Melapress Login Security