40,000+ Sites Exposed: Critical 9.8 CVSS Flaw Grants Total WordPress Account Takeover
Ddos 
A security vulnerability has been identified in Temporary Login, a popular WordPress plugin designed to provide secure, credential-free access to site administrators. The flaw, tracked as CVE-2026-7567, carries a CVSS score of 9.8, signaling a critical risk for the more than 40,000 active installations relying on the tool for support and collaboration.
The plugin is primarily used to generate unique, temporary URLs that allow trusted support agents or colleagues to access a site’s dashboard without a username or password. However, this newly discovered bypass turns that convenience into a direct gateway for attackers.
The vulnerability lies within the plugin’s maybe_login_temporary_user() function. The software is designed to look for a specific temp-login-token via a GET parameter to authenticate a session.
The technical failure occurs because the function does not verify that the token is a single “scalar” string before processing it. When an attacker supplies the parameter as an array rather than a string, a chain reaction of logic errors occurs:
- PHP Logic Bypass: The array bypasses standard empty() checks.
- Sanitization Failure: The sanitize_key() function returns an empty string when it encounters the unexpected array format.
- Database Oversight: This empty string is passed to the WordPress get_users() function as a metadata value. WordPress ignores empty metadata values and simply returns all users associated with the temporary login key.
The result is that an unauthenticated attacker can log in as any active temporary user on the system by sending a single crafted GET request, effectively gaining administrative access without ever possessing a valid token.
The vulnerability impacts all versions of the plugin up to and including 1.0.0. Because the attack requires no prior authentication and can be executed with minimal technical effort, administrators are urged to take immediate action.
Administrator are recommended to install version 1.1.0 or later, which contains the necessary input validation fixes.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
