CVE-2026-14495
Last modified
CVE-2026-14495 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. The DoLogin Security plugin for WordPress is vulnerable to Authentication Bypass via Insufficient Randomness in all versions up to, and including, 4.3. The vulnerability exists because `dologin\s::rrand()` seeds the Mersenne Twister with `mt_srand((double) microtime() * 1000000)` — discarding the integer-seconds component of `microtime()` and constraining the seed to a range of approximately 10^6 values (~20 bits of entropy) — after which every character of the 32-character magic-link token is drawn sequentially with `mt_rand()`, making the entire token a deterministic function of that seed. EPSS estimates a 0.43% chance of exploitation in the next 30 days.
Description
The DoLogin Security plugin for WordPress is vulnerable to Authentication Bypass via Insufficient Randomness in all versions up to, and including, 4.3. The vulnerability exists because `dologin\s::rrand()` seeds the Mersenne Twister with `mt_srand((double) microtime() * 1000000)` — discarding the integer-seconds component of `microtime()` and constraining the seed to a range of approximately 10^6 values (~20 bits of entropy) — after which every character of the 32-character magic-link token is drawn sequentially with `mt_rand()`, making the entire token a deterministic function of that seed. Because `Pswdless::try_login()` is registered on the unauthenticated `init` hook, resolves the target account by the auto-increment numeric ID embedded in the `?dologin=<id>.<hash>` parameter, performs the hash comparison using a non-constant-time `!=` operator, and then calls `wp_set_auth_cookie()` directly — never passing through `wp_authenticate()` and therefore never triggering the plugin's own `Auth::_has_login_err()` lockout — an unauthenticated attacker can brute-force the ~10^6-candidate seed space to reconstruct an active passwordless login token and authenticate as any targeted user, including administrators, without a password. Exploitation requires that a valid, unexpired passwordless login link (active for up to 7 days) exists for the target account at the time of the attack, and that the numeric link ID is known or guessable from the auto-increment primary key.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
Source: CNA advisory (CVE.org). NVD analysis pending.
| Vendor | Product | Versions |
|---|---|---|
| wpdo5ea | DoLogin Security | <= 4.3 |
References
Timeline
- Published
- Last Modified
- Status
- Deferred
Frequently Asked Questions
What is CVE-2026-14495?
How severe is CVE-2026-14495?
How do I fix CVE-2026-14495?
Related CVEs from 2026
- CVE-2026-14476A path traversal flaw was found in SSSD's AD GPO provider. T…8
- CVE-2026-1448A vulnerability was detected in D-Link DIR-615 up to 4.10. T…7.3
- CVE-2026-14482The 多说社会化评论框 plugin for WordPress is vulnerable to Privilege…8.8
- CVE-2026-14487The Simple Coherent Form plugin for WordPress is vulnerable …9.1
- CVE-2026-14489The WHMCS Bridge plugin for WordPress is vulnerable to arbit…8.8
- CVE-2026-1449A flaw has been found in Hisense TransTech Smart Bus Managem…7.3
- CVE-2026-1450The rognone plugin for WordPress is vulnerable to Reflected …6.1
- CVE-2026-14500The Bulk Order Update for WooCommerce plugin for WordPress i…5.3
- CVE-2026-1451The rognone plugin for WordPress is vulnerable to Reflected …6.1
- CVE-2026-1452Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMB…
- CVE-2026-1453A missing authentication for critical function vulnerability…9.8
- CVE-2026-14534Trail of Bits fickling versions up to and including 0.1.10 d…8.8
Are you affected by CVE-2026-14495?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST
