CVE-2026-7567 – Critical Authentication Bypass in Temporary Login Plugin (CVSS 9.8)
A critical vulnerability has been discovered in the Temporary Login plugin by StoreApps, a WordPress plugin with over 100,000 active installations. Tracked as CVE-2026-7567 with a CVSS score of 9.8 (Critical), this authentication bypass flaw allows unauthenticated attackers to log in as any active temporary user with a single crafted HTTP request.
Vulnerability Details
| CVE ID | CVE-2026-7567 |
| CVSS Score | 9.8 (Critical) |
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Plugin | Temporary Login (versions ≤1.0.0) |
| Patched in | Version 1.0.1 |
| Type | Authentication Bypass |
| Discovered | May 1, 2026 |
Root Cause: PHP Type Confusion
The vulnerability resides in the maybe_login_temporary_user() function. When a user visits a login link containing the temp-login-token parameter, the plugin checks if the parameter is not empty before processing it. The check looks like this:
if (!empty($_GET['temp-login-token'])) {
$token = sanitize_key($_GET['temp-login-token']);
// ... look up user by token
}The problem? PHP’s empty() function returns true for a non-existent or empty value, but false (meaning “not empty”) for an array — even an empty one. When an attacker sends ?temp-login-token[]=anything, PHP converts the parameter into an array. The array passes the empty() check, but sanitize_key() cannot handle arrays and returns an empty string.
WordPress then runs get_users() with this empty token as the meta_value. Crucially, WordPress ignores an empty meta_value and returns all users that have the _temporary_login_token meta key — which is every active temporary login session. The attacker is then logged in as the first matching user.
Real-World Impact
An attacker only needs to send one GET request to an affected site:
GET /wp-login.php?action=tmp-login&temp-login-token[]=x HTTP/1.1
Host: example.comIf any temporary login sessions are active (which is the default use case for this plugin), the attacker gains immediate access with the privileges of that user. Since temporary logins are often created with administrator or editor roles, the impact is complete site compromise — data theft, malware injection, and backdoor creation.
Affected Plugin Information
Temporary Login by StoreApps is used by site administrators and developers to create time-limited login links for support staff, contractors, and testing purposes. Versions up to and including 1.0.0 are vulnerable. The fix was released in version 1.0.1.
How to Protect Your Site
- Update immediately — Update the Temporary Login plugin to version 1.0.1 or higher.
- Audit active sessions — Check for any temporary login sessions that may have been compromised and remove them.
- Review logs — Check your access logs for suspicious
temp-login-token[]requests. - Use a security plugin — Trusti Security monitors for plugin vulnerabilities in real-time and can alert you when a vulnerable plugin is installed on your site.
Timeline
- April 2026 — Vulnerability discovered and responsibly disclosed
- May 1, 2026 — CVE-2026-7567 published, patch released in version 1.0.1
- May 2, 2026 — Added to WordPress Plugin Security database
Stay tuned for our upcoming roundup covering three critical WordPress plugin vulnerabilities patched in just 9 days. If you find this analysis useful, consider subscribing to our newsletter for weekly WordPress security updates.