Description
Unauthenticated Insecure Direct Object References (IDOR) in Clean Login <= 1.15 versions.
Published: 2026-06-17
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated insecure direct object reference (IDOR) exists in the Clean Login plugin for WordPress versions 1.15 and earlier. This flaw allows an attacker to craft requests targeting internal object identifiers and gain access to protected resources or sensitive data that were intended to be restricted. The weakness originates from insufficient authorization checks on plugin endpoints, a classic instance of CWE-639, and could potentially compromise user accounts, private settings, or other confidential information stored by the plugin.

Affected Systems

The vulnerability affects installations of the Clean Login plugin developed by Alberto Hornero. All releases up to and including version 1.15 are considered vulnerable. No other products are explicitly listed.

Risk and Exploitability

The CVSS score of 8.2 indicates a high severity vulnerability, and while an EPSS score is not available, the lack of a KEV listing does not reduce the inherent risk. The attack vector is inferred to be through direct HTTP calls to the plugin’s API or admin interfaces, exploiting the missing access control. An attacker can exploit the IDOR without needing any authentication, making the vulnerability readily actionable by anyone with network access to the WordPress site.

Generated by OpenCVE AI on June 18, 2026 at 14:00 UTC.

Remediation

Vendor Solution

Update the WordPress Clean Login Plugin to the latest available version (at least 1.16).


OpenCVE Recommended Actions

  • Upgrade the Clean Login plugin to version 1.16 or later, which removes the IDOR flaw.
  • If an upgrade is not immediately possible, temporarily disable or uninstall the Clean Login plugin until a secure version is installed.
  • Configure the web server or application firewall to block unauthenticated requests to the Clean Login plugin’s API endpoints, restricting access to authenticated administrators only.

Generated by OpenCVE AI on June 18, 2026 at 14:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Alberto Hornero
Alberto Hornero clean Login
Wordpress
Wordpress wordpress
Vendors & Products Alberto Hornero
Alberto Hornero clean Login
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Insecure Direct Object References (IDOR) in Clean Login <= 1.15 versions.
Title WordPress Clean Login plugin <= 1.15 - Insecure Direct Object References (IDOR) vulnerability
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H'}


Subscriptions

Alberto Hornero Clean Login
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T12:18:36.587Z

Reserved: 2026-06-12T09:15:46.416Z

Link: CVE-2026-54184

cve-icon Vulnrichment

Updated: 2026-06-17T12:18:28.975Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:03:46Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key