CVE-2026-7567

CVE-2026-7567 is an authentication bypass vulnerability in the Temporary Login plugin for WordPress, affecting versions up to and including 1.0.0. The issue stems from improper input validation in the maybe_login_temporary_user() function, which processes the 'temp-login-token' GET parameter without verifying it as a scalar string. Supplying the parameter as an array bypasses PHP's empty() check, causing sanitize_key() to return an empty string. This empty value is passed as meta_value to get_users(), which WordPress ignores, returning all users matching the meta_key '_temporary_login_token'. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-288 (Authentication Bypass Using an Alternate Path or Channel).

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no privileges. By sending a single crafted GET request with the 'temp-login-token' parameter as an array, attackers bypass token validation and authenticate as any active temporary login user. Successful exploitation grants attackers high confidentiality, integrity, and availability impacts, effectively impersonating legitimate temporary users without a valid token.

The provided references link to source code in the plugin's Trac repository, specifically lines 135 and 179 in core/admin.php for tags/1.0.0 and trunk, as well as line 157 in core/options.php for tags/1.0.0, highlighting the locations of the flawed input handling and processing logic. No explicit patch or mitigation details are detailed in the description or references.