CVE-2025-1717
Published: 27 February 2025
Description
The Login Me Now plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.7.2. This is due to insecure authentication based on an arbitrary transient name in the 'AutoLogin::listen()' function. This makes it possible for unauthenticated attackers to log in an existing user on the site, even an administrator. Note: this vulnerability requires using a transient name and value from another software, so the plugin is not inherently vulnerable on it's own.
Security Summary
CVE-2025-1717 is an authentication bypass vulnerability in the Login Me Now plugin for WordPress, affecting versions up to and including 1.7.2. The issue stems from insecure authentication logic in the AutoLogin::listen() function, which relies on an arbitrary transient name. This flaw is classified under CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and CWE-306 (Missing Authentication for Critical Function), earning a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
Unauthenticated attackers can exploit this vulnerability over the network to log in as any existing user on the site, including administrators, by supplying a transient name and value. Exploitation requires obtaining the transient from another software, so the plugin is not vulnerable in isolation. The high attack complexity reflects this dependency, but successful compromise grants high-impact confidentiality, integrity, and availability effects.
Wordfence's threat intelligence advisory provides further details on the vulnerability. Mitigation is addressed via a patch in WordPress plugin repository changeset 3247924. The vulnerable code is visible in AutoLogin.php at line 24 of version 1.7.2; security practitioners should update to a fixed version and review sites using this plugin for transient usage from integrated software.
Details
- CWE(s)