CVE-2026-14495
Received Received - Intake

Authentication Bypass via Weak Token Generation in DoLogin Security

Vulnerability report for CVE-2026-14495, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: Wordfence

Description

The DoLogin Security plugin for WordPress is vulnerable to Authentication Bypass via Insufficient Randomness in all versions up to, and including, 4.3. The vulnerability exists because `dologin\s::rrand()` seeds the Mersenne Twister with `mt_srand((double) microtime() * 1000000)` β€” discarding the integer-seconds component of `microtime()` and constraining the seed to a range of approximately 10^6 values (~20 bits of entropy) β€” after which every character of the 32-character magic-link token is drawn sequentially with `mt_rand()`, making the entire token a deterministic function of that seed. Because `Pswdless::try_login()` is registered on the unauthenticated `init` hook, resolves the target account by the auto-increment numeric ID embedded in the `?dologin=<id>.<hash>` parameter, performs the hash comparison using a non-constant-time `!=` operator, and then calls `wp_set_auth_cookie()` directly β€” never passing through `wp_authenticate()` and therefore never triggering the plugin's own `Auth::_has_login_err()` lockout β€” an unauthenticated attacker can brute-force the ~10^6-candidate seed space to reconstruct an active passwordless login token and authenticate as any targeted user, including administrators, without a password. Exploitation requires that a valid, unexpired passwordless login link (active for up to 7 days) exists for the target account at the time of the attack, and that the numeric link ID is known or guessable from the auto-increment primary key.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wordfence dologin_security_plugin to 4.3 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-338 The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

This vulnerability allows an unauthenticated attacker to gain unauthorized access to any user account, including administrator accounts, on a WordPress site using the DoLogin Security plugin.

Such unauthorized access can lead to full compromise of the website, including data theft, site defacement, installation of malicious code, or further attacks on site visitors.

Executive Summary

The DoLogin Security plugin for WordPress has an authentication bypass vulnerability due to insufficient randomness in generating passwordless login tokens. The plugin seeds the random number generator with a value that has only about 20 bits of entropy, making the 32-character magic-link token predictable.

Because the token generation is deterministic and the login process bypasses normal authentication checks, an attacker can brute-force the limited seed space to reconstruct a valid login token for any user, including administrators, without needing a password.

Exploitation requires that a valid, unexpired passwordless login link exists for the target account and that the numeric ID embedded in the link is known or guessable.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14495. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart