CVE-2026-7567
Received Received - Intake
Authentication Bypass in Temporary Login WordPress Plugin

Publication date: 2026-05-01

Last updated on: 2026-05-01

Assigner: Wordfence

Description
The Temporary Login plugin for WordPress is vulnerable to Authentication Bypass in versions up to and including 1.0.0. This is due to improper input validation in the maybe_login_temporary_user() function, which fails to verify that the 'temp-login-token' GET parameter is a scalar string before processing it. When the parameter is supplied as an array, PHP's empty() check is bypassed and sanitize_key() returns an empty string, which is then passed as the meta_value to get_users(). WordPress ignores an empty meta_value and returns all users matching the meta_key '_temporary_login_token', allowing authentication without a valid token. This makes it possible for unauthenticated attackers to authenticate as any active temporary login user by sending a single crafted GET request.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-01
Generated
2026-05-07
AI Q&A
2026-05-01
EPSS Evaluated
2026-05-05
NVD
CVE-2026-7567
EUVD
EUVD-2026-26490
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordfence temporary_login to 1.0.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-288 The product requires authentication, but the product has an alternate path or channel that does not require authentication.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The Temporary Login plugin for WordPress has an authentication bypass vulnerability in versions up to and including 1.0.0. This occurs because the function maybe_login_temporary_user() does not properly validate the 'temp-login-token' GET parameter. Specifically, it fails to check that this parameter is a scalar string before processing it.

If an attacker supplies the 'temp-login-token' parameter as an array, PHP's empty() check is bypassed and sanitize_key() returns an empty string. This empty string is then used as the meta_value in a call to get_users(). Since WordPress ignores an empty meta_value, it returns all users matching the meta_key '_temporary_login_token'.

As a result, an unauthenticated attacker can authenticate as any active temporary login user by sending a single crafted GET request with the 'temp-login-token' parameter as an array.


How can this vulnerability impact me? :

This vulnerability allows unauthenticated attackers to bypass authentication and gain access to a WordPress site as any active temporary login user.

Because the attacker can impersonate legitimate users without valid credentials, they can potentially access sensitive information, modify site content, or perform administrative actions depending on the privileges of the temporary login user.

The CVSS score of 9.8 indicates a critical severity with high impact on confidentiality, integrity, and availability.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart