External risk intelligence

WordPress plugin allows attackers to log in as any user without a password

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-7567

The Temporary Login plugin for WordPress has a critical flaw allowing anyone to log in as any user without a password. This internet-accessible vulnerability means your WordPress site could be compromised without any valid login.

4Halo Surface Signal

Authentication Bypass

External exposure likelihood

Halo Surface Signal score for CVE-2026-7567

The vulnerability affects a WordPress plugin designed to handle site logins. WordPress installations are widely deployed as internet-facing web applications. Since the vulnerable function is part of the application's web-facing authentication interface, it is directly accessible to any user visiting the website over the public internet.

Horizon Alert

Summary of the vulnerability and why it matters

An issue in the Temporary Login plugin for WordPress allows anyone to log in as any user without needing a valid token. This happens because the plugin doesn't properly check the login token before using it, potentially letting unauthorized individuals access accounts.

Attackers can bypass login requirements.
Any active temporary login user could be impersonated.
The vulnerability is reachable from the internet.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can bypass authentication by exploiting a flaw in the Temporary Login plugin. By sending a crafted GET request with the 'temp-login-token' parameter as an array, the plugin's validation fails, allowing the attacker to authenticate as any user with a temporary login token set. This effectively grants them access to the site as that user without needing a valid token.

Unauthenticated access required.
Target plugin's temporary login function.
Exploitable via crafted GET request.

Live Threat

Current exploitation, exposure, and threat context

This critical vulnerability in a WordPress login plugin allows unauthenticated attackers to bypass authentication and log in as any user. Attackers are likely to weaponize this because it targets a popular content management system, offers easy remote exploitation, and impacts authentication directly.

Affects widely used WordPress.
Exploits an authentication bypass flaw.
Easy remote unauthenticated access.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize identifying and blocking any traffic attempting to exploit the Temporary Login plugin's authentication bypass vulnerability by sending an array for the 'temp-login-token' parameter. This critical vulnerability allows unauthenticated attackers to log in as any temporary login user, posing a severe risk to all WordPress sites using versions up to 1.0.0.

Block requests with non-scalar 'temp-login-token' parameters.
Update the Temporary Login plugin to a patched version.
Monitor for unauthorized logins via temporary tokens.

Frequently asked questions

What is the Temporary Login plugin for WordPress and its purpose?

The Temporary Login plugin for WordPress is a tool that allows website administrators to generate temporary user accounts for specific purposes. It facilitates granting limited-time access for tasks or demonstrations without creating permanent user accounts.

How does CVE-2026-7567 enable authentication bypass in WordPress?

CVE-2026-7567 is an authentication bypass vulnerability. It arises from the plugin's inadequate validation of the 'temp-login-token' GET parameter. When this parameter is provided as an array instead of a string, the security checks are circumvented, permitting unauthorized access.

What is the specific weakness exploited by CVE-2026-7567?

The weakness is CWE-288, which involves improper input validation. The plugin's maybe_login_temporary_user() function fails to ensure the 'temp-login-token' GET parameter is a scalar string. This allows an array input, bypassing PHP's empty() check and leading to improper user retrieval.

What is the relevance of CVE-2026-7567, according to Halo Surface Signal?

Halo classifies this CVE as 'Likely' to be exploited. The vulnerability affects a WordPress plugin used for logins, and WordPress is widely deployed on internet-facing web applications. The flaw is directly accessible via the public internet's authentication interface.

What steps should be taken to mitigate the risk of CVE-2026-7567?

To mitigate this critical vulnerability, WordPress sites using versions of the Temporary Login plugin up to 1.0.0 should immediately update to a patched version. Additionally, monitor for unauthorized logins and consider blocking traffic that attempts to exploit the flaw by sending an array for the 'temp-login-token' parameter.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.