CVE-2026-7567 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: May 1, 2026
WordPress Temporary Login - Authentication Bypass
Published: May 1, 2026Updated: May 1, 2026Remote Exploitable
Overview
WordPress Temporary Login plugin <= 1.0.0 contains an authentication bypass caused by improper input validation of 'temp-login-token' parameter in maybe_login_temporary_user(), letting unauthenticated attackers authenticate as any temporary login user via crafted GET request.
Severity & Score
Severity: Critical
CVSS Score: 9.8
Impact
Unauthenticated attackers can bypass authentication and gain access as any temporary login user, compromising user accounts.
Mitigation
Update to the latest version of the Temporary Login plugin.
References
- https://plugins.trac.wordpress.org/browser/temporary-login/tags/1.0.0/core/options.php#L157
- https://plugins.trac.wordpress.org/browser/temporary-login/trunk/core/admin.php#L135
- https://plugins.trac.wordpress.org/browser/temporary-login/trunk/core/admin.php#L179
- https://plugins.trac.wordpress.org/browser/temporary-login/trunk/core/options.php#L157
- https://www.wordfence.com/threat-intel/vulnerabilities/id/f97c669b-86c1-4873-a050-76972f494099?source=cve
- https://plugins.trac.wordpress.org/browser/temporary-login/tags/1.0.0/core/admin.php#L135
- https://plugins.trac.wordpress.org/browser/temporary-login/tags/1.0.0/core/admin.php#L179
Related Resources
Details
- CVE ID
- CVE-2026-7567
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- broken_authentication
- Status
- new
CWE
- CWE-288
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H