CVE-2026-7567 Critical · CVSS 9.8 Temporary Login Authentication Bypass

CVE-2026-7567: Temporary Login vulnerability — full analysis & how to protect

Critical security flaw in Temporary Login on WordPress sites. Severity: Critical (CVSS 9.8). Published 2026-05-01. Full technical breakdown, who is at risk, and exact mitigation steps.

📅 2026-05-01 ⏱ 5 min read 🛡 GuardLabs

9.8

CVSS v3

Critical

Severity

2026-05-01

Published

Authentication Bypass

Class

TL;DR — what you need to know

A critical vulnerability exists in the Temporary Login plugin for WordPress, affecting versions 1.0.0 and below. This flaw allows an unauthenticated attacker to log into your site as any user with an active temporary account, without needing a password or a valid token. Due to the severity (CVSS 9.8), you must update the plugin immediately to protect your site from potential takeover.

Technical analysis

GuardLabs has analyzed CVE-2026-7567, a critical Authentication Bypass vulnerability in the Temporary Login plugin for WordPress. The vulnerability is rated 9.8 (Critical) on the CVSS scale and affects all versions up to and including 1.0.0. It allows an unauthenticated attacker to gain access to an account created by the plugin by sending a single, specially crafted web request. This circumvents the plugin's primary function of providing secure, token-based temporary access.

The root cause is improper input validation within the maybe_login_temporary_user() function. The function expects the temp-login-token GET parameter to be a scalar string. However, it fails to enforce this type. An attacker can supply the parameter as an array (e.g., ?temp-login-token[]=). Due to a quirk in PHP's type handling, an empty() check on an array containing an empty string evaluates to false, bypassing an initial validation step. Subsequently, the array is passed to the sanitize_key() function, which, when given an array, returns an empty string.

This empty string is then used as the meta_value in a get_users() database query, which is designed to find the user associated with the token. The query searches for users with the meta_key of _temporary_login_token. Crucially, when WordPress's underlying WP_User_Query class receives an empty string for meta_value, it ignores this condition and returns all users matching the meta_key. As a result, the query returns a list of all users with an active temporary login. The function then proceeds to log the attacker in as the first user from this list, granting them full access to that user's account and privileges without requiring any valid credentials.

Who is at risk

Any WordPress site using the Temporary Login plugin, versions 1.0.0 and below, is at risk. This plugin is commonly used by site administrators to provide temporary, revocable access to third parties such as developers, designers, or support technicians. It is a popular tool for troubleshooting, maintenance, and collaborative development without creating permanent user accounts or sharing primary administrator credentials.

The risk is highest for sites that have at least one active temporary login account. If no temporary accounts are currently active, the exploit will fail as the database query will return no users. However, given the plugin's purpose, it is frequently used on development, staging, and production environments where external collaboration is common. If a temporary account has high-level privileges, such as 'Administrator', an attacker could use this vulnerability to gain complete control over the affected WordPress site.

🔍 Check your site in 60 seconds

Free instant audit — we scan for this CVE and 50+ other vulnerabilities, no signup required.

Run free audit 24/7 automated scanner

How to mitigate

Due to the critical nature of this vulnerability, immediate action is required. Follow these steps to secure your website:

Update Immediately: The most important step is to update the Temporary Login plugin to the latest patched version. The plugin author has released a fix that corrects the input validation flaw. Navigate to your WordPress dashboard, go to 'Plugins', and apply the update for the Temporary Login plugin.
Backup Your Site: Before performing any updates or changes, always create a full backup of your WordPress files and database. This ensures you can restore your site to a working state if any issues arise during the update process.
Temporary Measures if Unable to Update: If you cannot update the plugin immediately for any reason, you should disable and delete it from your site to remove the vulnerable code. As an alternative, a Web Application Firewall (WAF) can provide a layer of virtual patching. A custom WAF rule can be configured to block any requests where the temp-login-token parameter is sent as an array (e.g., by blocking requests containing temp-login-token[ in the query string).
Automated Vulnerability Detection: To prevent future issues, use a security tool to monitor your site for vulnerable plugins and themes. Services like GuardLabs Web-Audit Guardian, as well as other reputable security plugins and external scanners, can automatically detect outdated software and alert you to known vulnerabilities, allowing you to take action before they are exploited.

🛡️ GuardLabs Care — we handle this for you

$240/year: managed WordPress hosting + SSL + 24/7 monitoring + automatic plugin updates with rollback + uptime alerts. We patch CVEs the same day they drop.

View Care plans

Frequently asked questions

What is the direct impact of this vulnerability?

An attacker can log in as any user who has an active temporary login, without needing a password or token. This could grant them administrative access if the temporary user is an administrator.

How can I tell if my site is vulnerable?

In your WordPress dashboard, go to 'Plugins' -> 'Installed Plugins'. If you see 'Temporary Login' listed with a version number of 1.0.0 or lower, your site is vulnerable and you must update it.

Is my site safe if I don't have any active temporary logins?

If there are no active temporary logins, the exploit will not find a user to log in as. However, the vulnerable code is still present, and your site would become immediately vulnerable the moment a new temporary login is created.

What should I do if I can't update the plugin right now?

The safest course of action is to navigate to your WordPress plugins page, and then 'Deactivate' and 'Delete' the Temporary Login plugin until you are able to install a patched version.

Does a Web Application Firewall (WAF) protect against this?

A properly configured WAF may block the specific exploit pattern, providing a layer of protection. However, updating the plugin is the only guaranteed and permanent solution to fix the underlying vulnerability.

Disclosure timeline

2026-05-01Published in NVD
2026-05-03GuardLabs analysis

📌 This page is informational. We track CVEs from public NVD feeds and summarize them in plain language. Always verify on the original CVE record (NVD link below) and consult the plugin vendor for official patch info. This is not legal or compliance advice.

References

https://plugins.trac.wordpress.org/browser/temporary-login/tags/1.0.0/core/admin.php#L135 https://plugins.trac.wordpress.org/browser/temporary-login/tags/1.0.0/core/admin.php#L179 https://plugins.trac.wordpress.org/browser/temporary-login/tags/1.0.0/core/options.php#L157 https://plugins.trac.wordpress.org/browser/temporary-login/trunk/core/admin.php#L135 https://plugins.trac.wordpress.org/browser/temporary-login/trunk/core/admin.php#L179 https://plugins.trac.wordpress.org/browser/temporary-login/trunk/core/options.php#L157