Temporary Login Plugin Vulnerability (CVE-2026-7567)

Security Alert Summary

The Temporary Login plugin for WordPress contains an authentication bypass vulnerability (CVE-2026-7567) affecting versions up to and including 1.0.0. Improper input validation in a temporary login handling function allows an attacker to bypass token checks and authenticate as an active temporary login user by supplying a specially crafted GET parameter.

CVE Details

• CVE ID: CVE-2026-7567
• Affected component: Temporary Login plugin for WordPress
• Affected versions: Versions up to and including 1.0.0
• Published: May 1, 2026 at 10:15:58 AM
• Last modified: May 1, 2026 at 3:26:24 PM
• CVSS v3.1: Base Score 9.8, Severity: CRITICAL, Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
• Authentication / Privileges / User Interaction: No privileges required, no user interaction required (PR:N, UI:N)
• Primary impact: Confidentiality: High; Integrity: High; Availability: High
• CWE / Weakness: CWE-288 (Improper Authentication)

Technical Details

The vulnerability is caused by improper input validation in the maybe_login_temporary_user() function. The function expects a scalar string value for the temp-login-token GET parameter but does not verify the parameter is a scalar before calling PHP checks. If the parameter is supplied as an array, PHP’s empty() check can be bypassed and sanitize_key() returns an empty string. That empty string is then passed as the meta_value to get_users(). Because WordPress ignores an empty meta_value, the call returns all users that match the _temporary_login_token meta_key. An attacker can therefore authenticate as any active temporary login user by sending a single crafted GET request that supplies an array for temp-login-token.

How This Could Impact Your Website

In a realistic scenario, a site owner creates temporary logins for contractors or external contributors to grant short-term access. An unauthenticated attacker who crafts a single GET request could authenticate as one of those temporary login users without knowing a valid token. This may expose account-sensitive data such as internal user email addresses, increase the risk of targeted phishing or social engineering against staff members, and allow actions performed by those temporary accounts to be executed by the attacker. The impact aligns with very high confidentiality, integrity, and availability impact ratings from the CVSS data, but does not by itself describe escalation beyond the privileges of the temporary user accounts.

If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

• Update the affected plugin as soon as a patched version is available.
• Review and reduce unnecessary user roles and temporary accounts, especially contributor or temporary logins.
• Enforce strong passwords and two-factor authentication for editors and administrators.
• Remove unused or unmaintained plugins to reduce attack surface.
• Monitor site activity and authentication logs for unusual behavior or unexpected account logins.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

• https://plugins.trac.wordpress.org/browser/temporary-login/tags/1.0.0/core/admin.php#L135
• https://plugins.trac.wordpress.org/browser/temporary-login/tags/1.0.0/core/admin.php#L179
• https://plugins.trac.wordpress.org/browser/temporary-login/tags/1.0.0/core/options.php#L157
• https://plugins.trac.wordpress.org/browser/temporary-login/trunk/core/admin.php#L135
• https://plugins.trac.wordpress.org/browser/temporary-login/trunk/core/admin.php#L179
• https://plugins.trac.wordpress.org/browser/temporary-login/trunk/core/options.php#L157
• https://www.wordfence.com/threat-intel/vulnerabilities/id/f97c669b-86c1-4873-a050-76972f494099?source=cve