Skip to main content

Dologin Security

4 CVEs product

Monthly

CVE-2026-14495 HIGH This Week

Authentication bypass in the DoLogin Security plugin for WordPress (all versions through 4.3) lets remote attackers forge passwordless magic-link tokens and log in as any user, including administrators. The 32-character token is generated by seeding the Mersenne Twister PRNG (mt_srand) with a value derived from microtime() that carries only ~20 bits of entropy, so the entire token is a deterministic function of a ~10^6-value seed space that can be brute-forced offline. No public exploit identified at time of analysis, but the flaw was reported by Wordfence and the vulnerable code paths are cited directly in the WordPress plugin repository.

WordPress Authentication Bypass Dologin Security
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2023-4800 MEDIUM This Month

The DoLogin Security WordPress plugin before 3.7.1 does not restrict the access of a widget that shows the IPs of failed logins to low privileged users. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure WordPress Dologin Security
NVD WPScan
CVSS 3.1
6.5
EPSS
0.9%
CVE-2023-4631 MEDIUM POC This Month

The DoLogin Security WordPress plugin before 3.7 uses headers such as the X-Forwarded-For to retrieve the IP address of the request, which could lead to IP spoofing. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure WordPress Dologin Security
NVD WPScan
CVSS 3.1
5.3
EPSS
0.6%
CVE-2023-4549 MEDIUM POC This Month

The DoLogin Security WordPress plugin before 3.7 does not properly sanitize IP addresses coming from the X-Forwarded-For header, which can be used by attackers to conduct Stored XSS attacks via. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Dologin Security
NVD WPScan
CVSS 3.1
6.1
EPSS
0.6%
EPSS 0% CVSS 8.8
HIGH This Week

Authentication bypass in the DoLogin Security plugin for WordPress (all versions through 4.3) lets remote attackers forge passwordless magic-link tokens and log in as any user, including administrators. The 32-character token is generated by seeding the Mersenne Twister PRNG (mt_srand) with a value derived from microtime() that carries only ~20 bits of entropy, so the entire token is a deterministic function of a ~10^6-value seed space that can be brute-forced offline. No public exploit identified at time of analysis, but the flaw was reported by Wordfence and the vulnerable code paths are cited directly in the WordPress plugin repository.

WordPress Authentication Bypass Dologin Security
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

The DoLogin Security WordPress plugin before 3.7.1 does not restrict the access of a widget that shows the IPs of failed logins to low privileged users. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure WordPress Dologin Security
NVD WPScan
EPSS 1% CVSS 5.3
MEDIUM POC This Month

The DoLogin Security WordPress plugin before 3.7 uses headers such as the X-Forwarded-For to retrieve the IP address of the request, which could lead to IP spoofing. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure WordPress Dologin Security
NVD WPScan
EPSS 1% CVSS 6.1
MEDIUM POC This Month

The DoLogin Security WordPress plugin before 3.7 does not properly sanitize IP addresses coming from the X-Forwarded-For header, which can be used by attackers to conduct Stored XSS attacks via. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Dologin Security
NVD WPScan

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy