Skip to main content

DoLogin Security CVE-2026-14495

| EUVDEUVD-2026-42167 HIGH
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) (CWE-338)
2026-07-08 Wordfence GHSA-3585-g468-xfc2
8.8
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.1 HIGH

Unauthenticated 'init' hook means PR:N, but a live unexpired magic link must exist and the ID be known - a condition beyond attacker control - so AC:H; full account takeover gives C/I/A High.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 08, 2026 - 06:26 vuln.today
CVE Published
Jul 08, 2026 - 05:34 nvd
HIGH 8.8

DescriptionCVE.org

The DoLogin Security plugin for WordPress is vulnerable to Authentication Bypass via Insufficient Randomness in all versions up to, and including, 4.3. The vulnerability exists because dologin\s::rrand() seeds the Mersenne Twister with mt_srand((double) microtime() * 1000000) - discarding the integer-seconds component of microtime() and constraining the seed to a range of approximately 10^6 values (~20 bits of entropy) - after which every character of the 32-character magic-link token is drawn sequentially with mt_rand(), making the entire token a deterministic function of that seed. Because Pswdless::try_login() is registered on the unauthenticated init hook, resolves the target account by the auto-increment numeric ID embedded in the ?dologin=<id>.<hash> parameter, performs the hash comparison using a non-constant-time != operator, and then calls wp_set_auth_cookie() directly - never passing through wp_authenticate() and therefore never triggering the plugin's own Auth::_has_login_err() lockout - an unauthenticated attacker can brute-force the ~10^6-candidate seed space to reconstruct an active passwordless login token and authenticate as any targeted user, including administrators, without a password. Exploitation requires that a valid, unexpired passwordless login link (active for up to 7 days) exists for the target account at the time of the attack, and that the numeric link ID is known or guessable from the auto-increment primary key.

AnalysisAI

Authentication bypass in the DoLogin Security plugin for WordPress (all versions through 4.3) lets remote attackers forge passwordless magic-link tokens and log in as any user, including administrators. The 32-character token is generated by seeding the Mersenne Twister PRNG (mt_srand) with a value derived from microtime() that carries only ~20 bits of entropy, so the entire token is a deterministic function of a ~10^6-value seed space that can be brute-forced offline. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify target user numeric link ID
Delivery
Request unauthenticated init endpoint with ?dologin=id.hash
Exploit
Brute-force ~10^6 mt_srand seed space offline
Execution
Reconstruct valid 32-char magic-link token
Persist
Submit forged token, receive auth cookie
Impact
Authenticate as administrator without password

Vulnerability AssessmentAI

Exploitation Exploitation requires that a valid, unexpired DoLogin passwordless login link exists for the target account at the time of attack - such links remain active for up to 7 days after being generated - and that the account's auto-increment numeric link ID is known or guessable (low integer IDs for early/administrator accounts make this easy). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This is a genuine high-priority issue: it yields full administrator account takeover with no password, and the attack surface (unauthenticated 'init' hook) is reachable by any anonymous visitor. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker triggers a passwordless login request for a known administrator (or waits for one to exist), then makes a request to the site's unauthenticated 'init' entry point with ?dologin=<admin_id>.<hash>, iterating the numeric admin ID from the low auto-increment primary key. Offline, they enumerate the ~10^6 possible mt_srand seeds, regenerate each candidate 32-character token, and submit the matching hash to have wp_set_auth_cookie() issue a valid admin session - no password and no lockout. …
Remediation No vendor-released patch version is identified in the available data, so a fixed release cannot be cited; monitor the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/16bce371-b524-48eb-8537-3f9df802abd3?source=cve) and the WordPress.org plugin page for a release above 4.3 and upgrade as soon as it ships. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and inventory all WordPress installations using DoLogin Security plugin version 4.3 and earlier; immediately disable the plugin and implement alternative authentication method. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-14495 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy