CVE-2026-7567

Daily digests

This is a nasty one. The Temporary Login WordPress plugin (v1.0.0 and below) has an authentication bypass that lets an unauthenticated attacker log in as any temporary user with a single crafted GET request. The bug is a type-juggling issue: sending the login token as an array instead of a string tricks the code into returning any user with a temporary login token. No credentials needed, no brute force, just one HTTP request.

• Daily Digest · May 1, 2026

  WordPress auth bypass, CVSS 9.8, no creds needed