Description
The Login Me Now plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.7.2. This is due to insecure authentication based on an arbitrary transient name in the 'AutoLogin::listen()' function. This makes it possible for unauthenticated attackers to log in an existing user on the site, even an administrator. Note: this vulnerability requires using a transient name and value from another software, so the plugin is not inherently vulnerable on it's own.
Published: 2025-02-27
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Immediate Patch
AI Analysis

Impact

An unauthenticated attacker can gain access to any existing WordPress user account, including administrators, by exploiting the Login Me Now plugin’s insecure handling of transient names in the AutoLogin::listen() function. This authentication bypass gives the attacker control over the site, but the CVE entry does not describe further capabilities beyond the basic login.

Affected Systems

The vulnerability affects the Login Me Now plugin for WordPress from Pluginly, specifically versions 1.7.2 and earlier. Only WordPress sites running these versions are impacted; newer releases are not affected.

Risk and Exploitability

The CVSS base score of 8.1 places the flaw in the high severity range. The EPSS score of less than 1% indicates a low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves sending crafted requests to the AutoLogin endpoint that include a valid transient name and value from another application. This requires the attacker to obtain or guess a transient value associated with a different software component, so exploitation is not automated. Despite the low likelihood, the potential impact of unauthorized account takeover warrants prompt remediation.

Generated by OpenCVE AI on April 21, 2026 at 22:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Login Me Now plugin to a patched version (1.7.3 or later) that addresses the authentication bypass.
  • If an update is not available, disable the AutoLogin feature by removing or deactivating the AutoLogin.php component to eliminate the vulnerable entry point.
  • Conduct a security audit of transient values on the site and any integrated applications to ensure no shared transient names could be leveraged by an attacker.
  • Implement firewall or rate‑limiting rules around the AutoLogin endpoint to reduce the attack surface if the feature remains enabled temporarily.

Generated by OpenCVE AI on April 21, 2026 at 22:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5118 The Login Me Now plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.7.2. This is due to insecure authentication based on an arbitrary transient name in the 'AutoLogin::listen()' function. This makes it possible for unauthenticated attackers to log in an existing user on the site, even an administrator. Note: this vulnerability requires using a transient name and value from another software, so the plugin is not inherently vulnerable on it's own.
History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
References

Tue, 11 Mar 2025 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Pluginly
Pluginly login Me Now
Weaknesses CWE-306
CPEs cpe:2.3:a:pluginly:login_me_now:*:*:*:*:*:wordpress:*:*
Vendors & Products Pluginly
Pluginly login Me Now

Tue, 04 Mar 2025 03:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 27 Feb 2025 07:30:00 +0000

Type Values Removed Values Added
Description The Login Me Now plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.7.2. This is due to insecure authentication based on an arbitrary transient name in the 'AutoLogin::listen()' function. This makes it possible for unauthenticated attackers to log in an existing user on the site, even an administrator. Note: this vulnerability requires using a transient name and value from another software, so the plugin is not inherently vulnerable on it's own.
Title Login Me Now <= 1.7.2 - Authentication Bypass
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Pluginly Login Me Now
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:34:46.312Z

Reserved: 2025-02-26T15:43:02.736Z

Link: CVE-2025-1717

cve-icon Vulnrichment

Updated: 2025-02-27T14:38:22.248Z

cve-icon NVD

Status : Modified

Published: 2025-02-27T08:15:31.130

Modified: 2026-04-08T19:23:51.760

Link: CVE-2025-1717

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T22:15:45Z

Weaknesses