Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Unauthenticated 'init' hook means PR:N, but a live unexpired magic link must exist and the ID be known - a condition beyond attacker control - so AC:H; full account takeover gives C/I/A High.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
The DoLogin Security plugin for WordPress is vulnerable to Authentication Bypass via Insufficient Randomness in all versions up to, and including, 4.3. The vulnerability exists because dologin\s::rrand() seeds the Mersenne Twister with mt_srand((double) microtime() * 1000000) - discarding the integer-seconds component of microtime() and constraining the seed to a range of approximately 10^6 values (~20 bits of entropy) - after which every character of the 32-character magic-link token is drawn sequentially with mt_rand(), making the entire token a deterministic function of that seed. Because Pswdless::try_login() is registered on the unauthenticated init hook, resolves the target account by the auto-increment numeric ID embedded in the ?dologin=<id>.<hash> parameter, performs the hash comparison using a non-constant-time != operator, and then calls wp_set_auth_cookie() directly - never passing through wp_authenticate() and therefore never triggering the plugin's own Auth::_has_login_err() lockout - an unauthenticated attacker can brute-force the ~10^6-candidate seed space to reconstruct an active passwordless login token and authenticate as any targeted user, including administrators, without a password. Exploitation requires that a valid, unexpired passwordless login link (active for up to 7 days) exists for the target account at the time of the attack, and that the numeric link ID is known or guessable from the auto-increment primary key.
AnalysisAI
Authentication bypass in the DoLogin Security plugin for WordPress (all versions through 4.3) lets remote attackers forge passwordless magic-link tokens and log in as any user, including administrators. The 32-character token is generated by seeding the Mersenne Twister PRNG (mt_srand) with a value derived from microtime() that carries only ~20 bits of entropy, so the entire token is a deterministic function of a ~10^6-value seed space that can be brute-forced offline. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that a valid, unexpired DoLogin passwordless login link exists for the target account at the time of attack - such links remain active for up to 7 days after being generated - and that the account's auto-increment numeric link ID is known or guessable (low integer IDs for early/administrator accounts make this easy). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This is a genuine high-priority issue: it yields full administrator account takeover with no password, and the attack surface (unauthenticated 'init' hook) is reachable by any anonymous visitor. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker triggers a passwordless login request for a known administrator (or waits for one to exist), then makes a request to the site's unauthenticated 'init' entry point with ?dologin=<admin_id>.<hash>, iterating the numeric admin ID from the low auto-increment primary key. Offline, they enumerate the ~10^6 possible mt_srand seeds, regenerate each candidate 32-character token, and submit the matching hash to have wp_set_auth_cookie() issue a valid admin session - no password and no lockout. … |
| Remediation | No vendor-released patch version is identified in the available data, so a fixed release cannot be cited; monitor the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/16bce371-b524-48eb-8537-3f9df802abd3?source=cve) and the WordPress.org plugin page for a release above 4.3 and upgrade as soon as it ships. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify and inventory all WordPress installations using DoLogin Security plugin version 4.3 and earlier; immediately disable the plugin and implement alternative authentication method. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Dologin Security
View allThe DoLogin Security WordPress plugin before 3.7 does not properly sanitize IP addresses coming from the X-Forwarded-For
The DoLogin Security WordPress plugin before 3.7 uses headers such as the X-Forwarded-For to retrieve the IP address of
The DoLogin Security WordPress plugin before 3.7.1 does not restrict the access of a widget that shows the IPs of failed
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42167
GHSA-3585-g468-xfc2