Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
WordPress plugin endpoint reachable over HTTP without auth or interaction (AV:N/AC:L/PR:N/UI:N); IDOR lets attacker tamper with plugin-managed records (I:L) and break login (A:H), no data disclosure stated (C:N).
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Insecure Direct Object References (IDOR) in Clean Login <= 1.15 versions.
AnalysisAI
Insecure direct object reference in the Clean Login WordPress plugin versions 1.15 and earlier allows remote unauthenticated attackers to manipulate object identifiers to modify data they should not control and to disrupt plugin-managed functionality. The flaw is reported by Patchstack and tagged as an authentication bypass affecting Alberto Hornero's Clean Login plugin, with no public exploit identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Target site must run WordPress with the Clean Login plugin by Alberto Hornero installed and active at version 1.15 or earlier, and the vulnerable plugin endpoint (front-end login/registration/account-management page or its AJAX/REST handler) must be reachable by the attacker over the network. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N is consistent with a remote, unauthenticated WordPress endpoint reachable over HTTP(S), and the U scope with C:N/I:L/A:H implies the impact is constrained to objects managed by the plugin itself rather than the whole WordPress installation - most plausibly the ability to alter or destroy user account records, password-reset tokens, or registration data, leading to lockouts or denial of login functionality. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker enumerates or guesses identifiers used by a Clean Login endpoint (e.g. a user ID, account record, or password-reset token parameter) and issues crafted HTTP requests to the plugin's front-end or AJAX handler. … |
| Remediation | No vendor-released patch identified at time of analysis; the input lists only the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/clean-login/vulnerability/wordpress-clean-login-plugin-1-15-insecure-direct-object-references-idor-vulnerability) and no fix version, so administrators should monitor that page and the plugin's WordPress.org repository for a release greater than 1.15 and upgrade as soon as it ships. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Audit installed WordPress plugins across all systems; identify instances running Clean Login version ≤1.15; review access logs for suspicious activity targeting plugin endpoints. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Clean Login
View allThe Clean Login plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.14.5
CSRF in the Clean Login plugin before 1.8 for WordPress allows remote attackers to change the login redirect URL or logo
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37629