CVE-2026-7567
Published: 01 May 2026
Summary
CVE-2026-7567 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of inputs like the 'temp-login-token' GET parameter to ensure it is a scalar string, preventing the array-based bypass of authentication checks.
Mandates timely identification, reporting, and correction of the specific input validation flaw in the WordPress plugin, eliminating the vulnerability through patching.
Enforces approved access authorizations only after proper authentication validation, blocking unauthorized impersonation of temporary login users.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an authentication bypass in a WordPress plugin, a public-facing web application, directly enabling unauthenticated remote exploitation for initial access.
NVD Description
The Temporary Login plugin for WordPress is vulnerable to Authentication Bypass in versions up to and including 1.0.0. This is due to improper input validation in the maybe_login_temporary_user() function, which fails to verify that the 'temp-login-token' GET parameter is a…
more
scalar string before processing it. When the parameter is supplied as an array, PHP's empty() check is bypassed and sanitize_key() returns an empty string, which is then passed as the meta_value to get_users(). WordPress ignores an empty meta_value and returns all users matching the meta_key '_temporary_login_token', allowing authentication without a valid token. This makes it possible for unauthenticated attackers to authenticate as any active temporary login user by sending a single crafted GET request.
Deeper analysisAI
CVE-2026-7567 is an authentication bypass vulnerability in the Temporary Login plugin for WordPress, affecting versions up to and including 1.0.0. The issue stems from improper input validation in the maybe_login_temporary_user() function, which processes the 'temp-login-token' GET parameter without verifying it as a scalar string. Supplying the parameter as an array bypasses PHP's empty() check, causing sanitize_key() to return an empty string. This empty value is passed as meta_value to get_users(), which WordPress ignores, returning all users matching the meta_key '_temporary_login_token'. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-288 (Authentication Bypass Using an Alternate Path or Channel).
Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no privileges. By sending a single crafted GET request with the 'temp-login-token' parameter as an array, attackers bypass token validation and authenticate as any active temporary login user. Successful exploitation grants attackers high confidentiality, integrity, and availability impacts, effectively impersonating legitimate temporary users without a valid token.
The provided references link to source code in the plugin's Trac repository, specifically lines 135 and 179 in core/admin.php for tags/1.0.0 and trunk, as well as line 157 in core/options.php for tags/1.0.0, highlighting the locations of the flawed input handling and processing logic. No explicit patch or mitigation details are detailed in the description or references.
Details
- CWE(s)