Critical Authentication Bypass in WordPress Temporary Login Plugin

Executive Summary

A critical authentication bypass vulnerability (CVE-2026-7567) has been disclosed in the Temporary Login plugin for WordPress, affecting all versions up to and including 1.0.0. The flaw exists in the maybe_login_temporary_user() function, which fails to validate that the temp-login-token GET parameter is a scalar string before processing it. By passing a non-scalar value (such as an array), an attacker can bypass the token verification logic and gain unauthorized access to a WordPress installation.

CVSS Score: 9.8 (Critical) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Authentication bypass flaws of this nature represent a high-severity risk to any WordPress site using this plugin, as they allow full administrative or user-level access without any credentials. Immediate action is required: disable or remove the plugin until a patched version is available.

Vulnerability Overview

Attribute	Value
CVE ID	CVE-2026-7567
CVSS Score	9.8 (Critical)
Type	Authentication Bypass / Improper Input Validation (CWE-20)
Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User Interaction	None
Scope	Unchanged
Confidentiality / Integrity / Availability	High / High / High
Published	2026-05-01
Affected Plugin	Temporary Login for WordPress (≤ 1.0.0)

Affected Products

Product	Affected Versions	Status
WordPress Temporary Login Plugin	≤ 1.0.0	Vulnerable

The Temporary Login plugin allows WordPress administrators to create time-limited login links for external users (contractors, support staff, clients) without sharing permanent credentials. The vulnerability in the token validation logic undermines the entire authentication model of the plugin.

Technical Details

Vulnerability Root Cause

The maybe_login_temporary_user() function retrieves the temp-login-token value directly from the $_GET superglobal and passes it to a comparison or lookup function without first verifying that the value is a scalar string.

In PHP, when an array is passed to functions that expect a scalar string (such as strcmp() or hash_equals()), the comparison often returns 0 (equal) or silently fails in a way that the surrounding conditional logic interprets as success. This is a classic PHP type juggling vulnerability — the code assumes the token is always a string, but PHP allows callers to pass arrays via HTTP query parameters.

Attack Chain

1. Attacker identifies a WordPress site running Temporary Login plugin <= 1.0.0
2. Attacker sends a GET request to the login endpoint:
   /?temp-login-token[]=arbitrary_value
3. PHP receives temp-login-token as an array instead of a string
4. maybe_login_temporary_user() passes array to comparison function
5. PHP type mismatch causes strcmp(array, string) to return 0 (treated as equal)
6. Token validation logic interprets return value 0 as successful match
7. Attacker is logged in as the user associated with the token (potentially admin)
8. Full WordPress admin panel access achieved with no credentials

PHP Type Juggling Explained

PHP allows query parameters to be passed as arrays using bracket notation:

Attacker request:
  GET /?temp-login-token[]=anything HTTP/1.1
 
PHP receives:
  $_GET['temp-login-token'] === ['anything']  (an array, not a string)
 
Vulnerable comparison:
  strcmp($_GET['temp-login-token'], $stored_token)
  // strcmp(array, string) returns NULL in PHP < 8.0
  // NULL == 0 evaluates to TRUE under loose comparison (==)
  // Result: authentication check passes

The secure fix requires calling is_string() on the token value before any comparison, and using strict comparison (===) with hash_equals() rather than loose comparison (==) against the result.

Impact Assessment

Impact Area	Description
Unauthorized Admin Access	Attacker can gain full WordPress administrator access
Content Tampering	Modification or deletion of posts, pages, and media
Plugin/Theme Installation	Upload of malicious plugins or themes for persistent backdoors
User Account Manipulation	Create, modify, or delete user accounts including admins
Data Exfiltration	Access to all stored content, user data, and plugin configuration
Defacement	Full site defacement or redirection to malicious content
File System Access	File manager access can be used to upload a PHP backdoor script

Recommendations

Immediate Actions

Disable the Temporary Login plugin immediately if running version ≤ 1.0.0
Delete active temporary login tokens via the plugin dashboard before disabling
Audit WordPress admin accounts for any unauthorized additions or changes
Review access logs for suspicious ?temp-login-token[]= requests

Patching

Check the WordPress plugin repository for an updated version of the Temporary Login plugin
If no patch is available, remove the plugin entirely and use an alternative access method (manual user creation with time-limited accounts)

Hardening Measures

- Deploy a WAF rule blocking requests where temp-login-token contains bracket notation
  Pattern: block any URL parameter matching /temp-login-token\[/ in access logs
- Enable WordPress admin email notifications for new admin user creation
- Use a security plugin (Wordfence, Sucuri) to monitor for login anomalies
- Restrict wp-login.php and plugin login endpoints by IP where possible
- Enforce PHP 8.0+ where strcmp() with non-scalar input throws a TypeError

Detection Indicators

Indicator	Description
GET requests with `temp-login-token[]=` in the URL	Exploitation attempt via array injection
Sudden new WordPress admin accounts	Post-exploitation account creation
Plugin or theme uploads from unexpected IPs	Backdoor installation attempt
PHP files with base64-encoded content in wp-content	Possible obfuscated backdoor upload
WordPress admin actions outside business hours	Suspicious unauthorized access

Post-Remediation Checklist

Verify plugin removed or updated to a patched version
Audit all WordPress user accounts — remove any unauthorized admin accounts
Change all admin passwords and revoke active sessions (wp_session_tokens)
Scan wp-content for new or modified PHP files that could be backdoors
Review file system integrity using a WordPress security scanner
Check plugin and theme directories for unauthorized additions
Enable two-factor authentication for all admin-level WordPress accounts
Update WAF rules to block array-based GET parameter injection attempts

References

Executive Summary

CVSS Score: 9.8 (Critical) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Overview

Attribute	Value
CVE ID	CVE-2026-7567
CVSS Score	9.8 (Critical)
Type	Authentication Bypass / Improper Input Validation (CWE-20)
Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User Interaction	None
Scope	Unchanged
Confidentiality / Integrity / Availability	High / High / High
Published	2026-05-01
Affected Plugin	Temporary Login for WordPress (≤ 1.0.0)

Affected Products

Product	Affected Versions	Status
WordPress Temporary Login Plugin	≤ 1.0.0	Vulnerable

Technical Details

Vulnerability Root Cause

Attack Chain

1. Attacker identifies a WordPress site running Temporary Login plugin <= 1.0.0
2. Attacker sends a GET request to the login endpoint:
   /?temp-login-token[]=arbitrary_value
3. PHP receives temp-login-token as an array instead of a string
4. maybe_login_temporary_user() passes array to comparison function
5. PHP type mismatch causes strcmp(array, string) to return 0 (treated as equal)
6. Token validation logic interprets return value 0 as successful match
7. Attacker is logged in as the user associated with the token (potentially admin)
8. Full WordPress admin panel access achieved with no credentials

PHP Type Juggling Explained

PHP allows query parameters to be passed as arrays using bracket notation:

Attacker request:
  GET /?temp-login-token[]=anything HTTP/1.1
 
PHP receives:
  $_GET['temp-login-token'] === ['anything']  (an array, not a string)
 
Vulnerable comparison:
  strcmp($_GET['temp-login-token'], $stored_token)
  // strcmp(array, string) returns NULL in PHP < 8.0
  // NULL == 0 evaluates to TRUE under loose comparison (==)
  // Result: authentication check passes

Impact Assessment

Impact Area	Description
Unauthorized Admin Access	Attacker can gain full WordPress administrator access
Content Tampering	Modification or deletion of posts, pages, and media
Plugin/Theme Installation	Upload of malicious plugins or themes for persistent backdoors
User Account Manipulation	Create, modify, or delete user accounts including admins
Data Exfiltration	Access to all stored content, user data, and plugin configuration
Defacement	Full site defacement or redirection to malicious content
File System Access	File manager access can be used to upload a PHP backdoor script

Recommendations

Immediate Actions

Disable the Temporary Login plugin immediately if running version ≤ 1.0.0
Delete active temporary login tokens via the plugin dashboard before disabling
Audit WordPress admin accounts for any unauthorized additions or changes
Review access logs for suspicious ?temp-login-token[]= requests

Patching

Check the WordPress plugin repository for an updated version of the Temporary Login plugin
If no patch is available, remove the plugin entirely and use an alternative access method (manual user creation with time-limited accounts)

Hardening Measures

- Deploy a WAF rule blocking requests where temp-login-token contains bracket notation
  Pattern: block any URL parameter matching /temp-login-token\[/ in access logs
- Enable WordPress admin email notifications for new admin user creation
- Use a security plugin (Wordfence, Sucuri) to monitor for login anomalies
- Restrict wp-login.php and plugin login endpoints by IP where possible
- Enforce PHP 8.0+ where strcmp() with non-scalar input throws a TypeError

Detection Indicators

Indicator	Description
GET requests with `temp-login-token[]=` in the URL	Exploitation attempt via array injection
Sudden new WordPress admin accounts	Post-exploitation account creation
Plugin or theme uploads from unexpected IPs	Backdoor installation attempt
PHP files with base64-encoded content in wp-content	Possible obfuscated backdoor upload
WordPress admin actions outside business hours	Suspicious unauthorized access

Post-Remediation Checklist

Verify plugin removed or updated to a patched version
Audit all WordPress user accounts — remove any unauthorized admin accounts
Change all admin passwords and revoke active sessions (wp_session_tokens)
Scan wp-content for new or modified PHP files that could be backdoors
Review file system integrity using a WordPress security scanner
Check plugin and theme directories for unauthorized additions
Enable two-factor authentication for all admin-level WordPress accounts
Update WAF rules to block array-based GET parameter injection attempts

Critical Authentication Bypass in WordPress Temporary Login Plugin

Affected Products

Executive Summary

Vulnerability Overview

Affected Products

Technical Details

Vulnerability Root Cause

Attack Chain

PHP Type Juggling Explained

Impact Assessment

Recommendations

Immediate Actions

Patching

Hardening Measures

Detection Indicators

Post-Remediation Checklist

References

CVE-2026-41940: WebPros cPanel & WHM and WP2 Missing Authentication Vulnerability

CVE-2026-39440: FunnelFormsPro WordPress Plugin Remote Code Inclusion (CVSS 9.9)

CVE-2026-3844 — Breeze Cache WordPress Plugin Unauthenticated File Upload

Critical Authentication Bypass in WordPress Temporary Login Plugin

Affected Products

Executive Summary

Vulnerability Overview

Affected Products

Technical Details

Vulnerability Root Cause

Attack Chain

PHP Type Juggling Explained

Impact Assessment

Recommendations

Immediate Actions

Patching

Hardening Measures

Detection Indicators

Post-Remediation Checklist

References

CVE-2026-41940: WebPros cPanel & WHM and WP2 Missing Authentication Vulnerability

CVE-2026-39440: FunnelFormsPro WordPress Plugin Remote Code Inclusion (CVSS 9.9)

CVE-2026-3844 — Breeze Cache WordPress Plugin Unauthenticated File Upload