CVE-2026-7567 Overview
CVE-2026-7567 is an authentication bypass vulnerability affecting the Temporary Login plugin for WordPress in versions up to and including 1.0.0. The flaw resides in the maybe_login_temporary_user() function, which fails to validate that the temp-login-token GET parameter is a scalar string. When an attacker submits the parameter as an array, PHP's empty() check is bypassed and sanitize_key() returns an empty string. WordPress then ignores the empty meta_value passed to get_users() and returns every user matching the _temporary_login_token meta key. An unauthenticated attacker can authenticate as any active temporary login user with a single crafted GET request [CWE-288].
Critical Impact
Unauthenticated remote attackers can hijack any active temporary login account, gaining the privileges assigned to that user.
Affected Products
- WordPress Temporary Login plugin versions ≤ 1.0.0
- Vulnerable function: maybe_login_temporary_user() in core/admin.php
- Vulnerable usermeta lookup: _temporary_login_token via get_users()
Discovery Timeline
- 2026-05-01 - CVE-2026-7567 published to NVD
- 2026-05-01 - Last updated in NVD database
Technical Details for CVE-2026-7567
Vulnerability Analysis
The Temporary Login plugin issues short-lived access tokens that allow third parties to log into a WordPress site as a designated user. Authentication is performed by reading the temp-login-token GET parameter, sanitizing it, and querying the users table for a matching _temporary_login_token usermeta value. The plugin treats the parameter as a string without first verifying its type.
When the parameter arrives as an array, PHP's empty() returns false, so the early-exit guard is skipped. sanitize_key() then receives a non-string input and returns an empty string. The empty string is forwarded as the meta_value argument to get_users(). WordPress core silently ignores empty meta_value arguments while still applying the meta_key filter, returning every user that holds an active temporary login record.
Root Cause
The root cause is improper input validation [CWE-288]. The plugin does not enforce a scalar type check on the temp-login-token parameter before passing it through sanitize_key() and into the user query. Combined with WordPress's behavior of dropping empty meta-value filters, the missing type check collapses the authentication boundary.
Attack Vector
Exploitation requires no authentication, no user interaction, and no prior knowledge of any token. The attacker sends a single HTTP GET request to the plugin endpoint with temp-login-token supplied as an array (for example, ?temp-login-token[]=). The plugin authenticates the request as the first matching temporary user, establishing a valid session. See the Wordfence Vulnerability Report and the WordPress Plugin Code Snippet for the affected source lines.
Detection Methods for CVE-2026-7567
Indicators of Compromise
- HTTP GET requests containing temp-login-token[] or any array-style notation for the temp-login-token parameter.
- Successful WordPress login events for users carrying the _temporary_login_token usermeta key without a preceding token issuance event.
- New authenticated sessions originating from IP addresses that never previously requested the temporary login URL.
Detection Strategies
- Inspect web server access logs for query strings matching the regex temp-login-token(\[|%5B) and alert on any match.
- Correlate WordPress wp_login audit events with the absence of a corresponding token issuance entry in the plugin's admin log.
- Flag authentication events where the temp-login-token parameter type, captured at the WAF or reverse proxy, is not a scalar string.
Monitoring Recommendations
- Enable verbose logging of authentication events on WordPress sites running the Temporary Login plugin.
- Monitor for sudden privilege use, post creation, or plugin installation by accounts associated with temporary logins.
- Track outbound connections from the WordPress host that follow successful temporary-login authentications.
How to Mitigate CVE-2026-7567
Immediate Actions Required
- Deactivate and remove the Temporary Login plugin until a fixed release is installed.
- Revoke all existing temporary login users by deleting accounts that hold the _temporary_login_token usermeta key.
- Force a password reset and session invalidation for any administrator accounts that may have been impersonated.
- Review recent plugin, theme, and user-role changes for unauthorized modifications.
Patch Information
No patched version is referenced in the available advisory data. Site operators should monitor the Wordfence Vulnerability Report and the plugin source repository for an updated release that adds a scalar type check to the temp-login-token parameter before it reaches sanitize_key().
Workarounds
- Block requests containing array-style temp-login-token parameters at the WAF or reverse proxy layer.
- Restrict access to the plugin's login endpoint by IP allowlist while a fix is pending.
- Disable temporary user accounts and rely on standard WordPress authentication until the plugin is updated.
# Example NGINX rule to block array-style token parameters
if ($args ~* "temp-login-token(\[|%5B)") {
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
