Description
The Temporary Login plugin for WordPress is vulnerable to Authentication Bypass in versions up to and including 1.0.0. This is due to improper input validation in the maybe_login_temporary_user() function, which fails to verify that the 'temp-login-token' GET parameter is a scalar string before processing it. When the parameter is supplied as an array, PHP's empty() check is bypassed and sanitize_key() returns an empty string, which is then passed as the meta_value to get_users(). WordPress ignores an empty meta_value and returns all users matching the meta_key '_temporary_login_token', allowing authentication without a valid token. This makes it possible for unauthenticated attackers to authenticate as any active temporary login user by sending a single crafted GET request.
Published: 2026-05-01
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper validation of the 'temp-login-token' GET parameter within the Temporary Login plugin for WordPress. It allows an unauthenticated attacker to supply the parameter as an array, causing PHP’s empty() check to fail and sanitize_key() to return an empty string. This empty string is then used as the meta_value in a call to get_users(), leading WordPress to return all users with the meta_key '_temporary_login_token'. The attacker can thus authenticate as any active temporary login user without a valid token. The weakness is classified as CWE-288 (Authorization Bypass Through User-Controlled Key). The result is complete account takeover of temporary login users, compromising confidentiality, integrity, and potentially leading to broader site compromise.

Affected Systems

WordPress sites that have the Temporary Login plugin (elemntor:Temporary Login) installed, specifically any version up to and including 1.0.0.

Risk and Exploitability

The vulnerability scores a CVSS of 9.8, indicating a critical risk level. EPSS information is not available, but the lack of a KEV listing does not diminish the potential for widespread exploitation, given the plugin’s popularity and the ease of crafting the required GET request. The attack can be performed by anyone with internet access to the host, requiring no authentication or privileged credentials. An attacker only needs to send a single crafted request with the 'temp-login-token' parameter set as an array to bypass authentication and assume the identity of any temporary login user.

Generated by OpenCVE AI on May 1, 2026 at 23:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Temporary Login plugin to the latest version that contains the input validation fix (if available).
  • If an update is not immediately available, disable or deactivate the plugin to eliminate the vulnerability until a patch is released.
  • As a temporary custom fix, modify the maybe_login_temporary_user() function to verify that the 'temp-login-token' GET parameter is a scalar string before passing it to sanitize_key() or get_users().

Generated by OpenCVE AI on May 1, 2026 at 23:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 01 May 2026 10:00:00 +0000

Type Values Removed Values Added
Description The Temporary Login plugin for WordPress is vulnerable to Authentication Bypass in versions up to and including 1.0.0. This is due to improper input validation in the maybe_login_temporary_user() function, which fails to verify that the 'temp-login-token' GET parameter is a scalar string before processing it. When the parameter is supplied as an array, PHP's empty() check is bypassed and sanitize_key() returns an empty string, which is then passed as the meta_value to get_users(). WordPress ignores an empty meta_value and returns all users matching the meta_key '_temporary_login_token', allowing authentication without a valid token. This makes it possible for unauthenticated attackers to authenticate as any active temporary login user by sending a single crafted GET request.
Title Temporary Login <= 1.0.0 - Authentication Bypass to Account Takeover
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-01T14:27:42.580Z

Reserved: 2026-04-30T20:58:51.799Z

Link: CVE-2026-7567

cve-icon Vulnrichment

Updated: 2026-05-01T14:27:19.845Z

cve-icon NVD

Status : Deferred

Published: 2026-05-01T10:15:58.080

Modified: 2026-05-01T15:26:24.553

Link: CVE-2026-7567

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T00:00:14Z

Weaknesses