Skip to main content
CVE Vulnerability Database

CVE-2025-1717: Login Me Now Auth Bypass Vulnerability

CVE-2025-1717 is an authentication bypass flaw in Pluginly Login Me Now for WordPress that allows attackers to log in as any user, including administrators. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-1717 Overview

The Login Me Now plugin for WordPress contains an authentication bypass vulnerability affecting all versions up to and including 1.7.2. The flaw resides in the AutoLogin::listen() function, which performs authentication based on an arbitrary transient name. Unauthenticated attackers can leverage this weakness to log in as any existing user, including administrators. Exploitation requires a transient name and value generated by another piece of software present on the site, so the plugin alone does not expose the issue without that prerequisite. The vulnerability is tracked under [CWE-288] (Authentication Bypass Using an Alternate Path) and [CWE-306] (Missing Authentication for Critical Function).

Critical Impact

Successful exploitation grants attackers full administrator access to the WordPress site, enabling content modification, plugin installation, and complete site takeover.

Affected Products

  • Pluginly Login Me Now plugin for WordPress, versions up to and including 1.7.2
  • WordPress sites running the vulnerable plugin alongside companion software that generates predictable transients
  • All WordPress installations using login-me-now prior to the patched release

Discovery Timeline

  • 2025-02-27 - CVE-2025-1717 published to the National Vulnerability Database (NVD)
  • 2026-04-08 - Last updated in NVD database

Technical Details for CVE-2025-1717

Vulnerability Analysis

The Login Me Now plugin provides browser-token-based automatic login functionality through its AutoLogin class. The listen() method located in app/Logins/BrowserTokenLogin/AutoLogin.php reads a transient identifier from incoming requests and uses it to authenticate the associated user. The function trusts the supplied transient name without validating its origin or ensuring it was generated by the plugin itself. An attacker who can supply or predict a transient name and value created by another plugin or component installed on the same WordPress site can pass that transient through this flow and be logged in as the target user. Because WordPress transients are stored in the options table with predictable naming conventions, third-party plugins frequently create transients that the attacker can reference.

Root Cause

The root cause is missing authentication context validation. The AutoLogin::listen() function uses an arbitrary transient name as the sole basis for establishing a logged-in session. The plugin does not namespace its own transients, does not bind transient values to a cryptographic secret unique to the plugin, and does not verify that the transient was created through its own issuance routine. This design conflates the presence of a transient with proof of authentication intent.

Attack Vector

Exploitation is performed over the network without authentication or user interaction. An attacker identifies a WordPress site running Login Me Now alongside another plugin or theme that creates transients containing user identifiers. The attacker crafts a request to the vulnerable AutoLogin endpoint, supplying the foreign transient name. The plugin reads the transient, resolves it to a user, and issues a valid session cookie for that account. If the resolved account holds the administrator role, the attacker gains full control of the site. The attack complexity is elevated because it depends on a second piece of software producing a compatible transient, which is why the CVSS attack complexity is rated High.

No verified public exploit code is available. Technical details can be reviewed in the WordPress plugin source code and the Wordfence vulnerability report.

Detection Methods for CVE-2025-1717

Indicators of Compromise

  • Unexpected administrator logins recorded in WordPress audit logs with no preceding password authentication event
  • HTTP requests targeting Login Me Now AutoLogin endpoints carrying transient parameters that reference non-plugin transient names
  • Session cookies issued to client IP addresses that have never previously authenticated to the site
  • New administrator users, plugins, or themes installed shortly after anomalous login events

Detection Strategies

  • Inspect web server access logs for requests to Login Me Now auto-login URLs and correlate them with subsequent privileged actions
  • Compare the version of login-me-now installed across managed WordPress sites against the patched release identified in changeset 3247924
  • Enable verbose WordPress authentication logging and alert on wp_set_auth_cookie invocations originating from auto-login code paths

Monitoring Recommendations

  • Forward WordPress access and authentication logs to a centralized SIEM or data lake for correlation across hosting fleets
  • Alert on administrator account logins from new IP addresses, new user agents, or outside normal business hours
  • Track installation and update events for WordPress plugins to detect attacker persistence following a successful bypass

How to Mitigate CVE-2025-1717

Immediate Actions Required

  • Update the Login Me Now plugin to a version newer than 1.7.2 that includes the fix from changeset 3247924
  • Audit existing administrator accounts and remove any that cannot be attributed to legitimate users
  • Rotate passwords and invalidate active sessions for all privileged WordPress accounts on affected sites
  • Review installed plugins and themes to identify components that create transients with user identifiers

Patch Information

The vendor addressed the vulnerability in the Login Me Now repository via changeset 3247924. Site operators should upgrade through the WordPress plugin dashboard or by replacing the plugin files with the patched release. Refer to the Wordfence vulnerability report for the patched version reference.

Workarounds

  • Deactivate and remove the Login Me Now plugin until the patched version can be deployed
  • Restrict access to the WordPress site behind a web application firewall (WAF) rule that blocks requests to Login Me Now auto-login endpoints from untrusted networks
  • Enforce multi-factor authentication for administrator accounts to limit the impact of a hijacked session
bash
# Example WP-CLI command to update or remove the vulnerable plugin
wp plugin update login-me-now
# Or, if no patched version is yet available in your environment:
wp plugin deactivate login-me-now
wp plugin delete login-me-now

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.