{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/dologin-security-plugin--4.3/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-14495"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["DoLogin Security plugin \u003c= 4.3"],"_cs_severities":["high"],"_cs_tags":["wordpress","plugin","authentication-bypass","web-exploitation","cve"],"_cs_type":"advisory","_cs_vendors":["DoLogin Security"],"content_html":"\u003cp\u003eThe DoLogin Security plugin for WordPress, specifically in versions up to and including 4.3, harbors a critical authentication bypass vulnerability, tracked as CVE-2026-14495. This flaw stems from insufficient randomness in the \u003ccode\u003edologin\\s::rrand()\u003c/code\u003e function, which seeds the Mersenne Twister pseudorandom number generator using only the microsecond component of the current time. This constrains the seed space to approximately 10^6 possible values, making the 32-character magic-link tokens generated from it predictable. An unauthenticated attacker can leverage this weakness to brute-force the limited seed space offline, thereby reconstructing active passwordless login tokens. Successful exploitation allows the attacker to authenticate as any targeted user, including administrators, without a password, as the plugin directly calls \u003ccode\u003ewp_set_auth_cookie()\u003c/code\u003e and bypasses standard authentication and lockout mechanisms. Exploitation requires a valid, unexpired passwordless link to exist for the target, and knowledge or guesswork of the numeric user ID.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a WordPress site utilizing the vulnerable DoLogin Security plugin (version \u0026lt;= 4.3).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target user (e.g., administrator) and obtains a legitimate, unexpired passwordless login link that was previously generated for this user. This link contains a numeric user ID.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts the numeric user ID from the \u003ccode\u003e?dologin=\u0026lt;id\u0026gt;.\u0026lt;hash\u0026gt;\u003c/code\u003e parameter of the observed link.\u003c/li\u003e\n\u003cli\u003eThe attacker performs an offline brute-force attack against the \u003ccode\u003emt_srand()\u003c/code\u003e seed space (approximately 10^6 candidates) to reconstruct the \u003ccode\u003e32-character magic-link token\u003c/code\u003e (\u003ccode\u003e\u0026lt;hash\u0026gt;\u003c/code\u003e) corresponding to the target user and link generation time.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious GET request to the WordPress site, incorporating the target numeric user ID and the successfully reconstructed token in the \u003ccode\u003e?dologin=\u0026lt;id\u0026gt;.\u0026lt;reconstructed_hash\u0026gt;\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003ePswdless::try_login()\u003c/code\u003e function, registered on the unauthenticated \u003ccode\u003einit\u003c/code\u003e hook, receives and processes this request, comparing the supplied token.\u003c/li\u003e\n\u003cli\u003eUpon successful verification (due to the reconstructed token), the plugin directly invokes \u003ccode\u003ewp_set_auth_cookie()\u003c/code\u003e, establishing an authenticated session for the attacker as the target user, bypassing standard \u003ccode\u003ewp_authenticate()\u003c/code\u003e and any lockout mechanisms.\u003c/li\u003e\n\u003cli\u003eThe attacker gains full control over the WordPress site if the targeted user possessed administrative privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-14495 grants unauthenticated attackers complete administrative control over affected WordPress websites. This bypasses all authentication safeguards, allowing attackers to log in as any user, including administrators, without requiring a password. The direct call to \u003ccode\u003ewp_set_auth_cookie()\u003c/code\u003e means that typical login security measures, such as brute-force detection and account lockouts, are bypassed. Consequences include full data exfiltration, website defacement, arbitrary code execution via plugin/theme modifications, introduction of malware, and complete compromise of the web server.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-14495\u003c/strong\u003e immediately by updating the DoLogin Security plugin to a version greater than 4.3 or to the latest available version as provided by the vendor.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReview web server access logs\u003c/strong\u003e for unusual or repeated GET requests containing the \u003ccode\u003edologin\u003c/code\u003e parameter, specifically targeting administrator user IDs.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement web application firewall (WAF)\u003c/strong\u003e rules to monitor and potentially block requests attempting to exploit CVE-2026-14495, though specific patterns might be difficult to distinguish from legitimate use.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-08T06:23:36Z","date_published":"2026-07-08T06:23:36Z","id":"https://feed.craftedsignal.io/briefs/2026-07-dologin-auth-bypass/","summary":"The DoLogin Security plugin for WordPress, in all versions up to and including 4.3, is vulnerable to authentication bypass (CVE-2026-14495) due to insufficient randomness in magic-link token generation, allowing unauthenticated attackers to brute-force and reconstruct valid passwordless login tokens for any user, including administrators, and gain full control.","title":"CVE-2026-14495: DoLogin Security Plugin Authentication Bypass via Insufficient Randomness","url":"https://feed.craftedsignal.io/briefs/2026-07-dologin-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - DoLogin Security Plugin \u003c= 4.3","version":"https://jsonfeed.org/version/1.1"}