<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>DoLogin Security Plugin &lt;= 4.3 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/dologin-security-plugin--4.3/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 08 Jul 2026 06:23:36 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/dologin-security-plugin--4.3/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-14495: DoLogin Security Plugin Authentication Bypass via Insufficient Randomness</title><link>https://feed.craftedsignal.io/briefs/2026-07-dologin-auth-bypass/</link><pubDate>Wed, 08 Jul 2026 06:23:36 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-dologin-auth-bypass/</guid><description>The DoLogin Security plugin for WordPress, in all versions up to and including 4.3, is vulnerable to authentication bypass (CVE-2026-14495) due to insufficient randomness in magic-link token generation, allowing unauthenticated attackers to brute-force and reconstruct valid passwordless login tokens for any user, including administrators, and gain full control.</description><content:encoded><![CDATA[<p>The DoLogin Security plugin for WordPress, specifically in versions up to and including 4.3, harbors a critical authentication bypass vulnerability, tracked as CVE-2026-14495. This flaw stems from insufficient randomness in the <code>dologin\s::rrand()</code> function, which seeds the Mersenne Twister pseudorandom number generator using only the microsecond component of the current time. This constrains the seed space to approximately 10^6 possible values, making the 32-character magic-link tokens generated from it predictable. An unauthenticated attacker can leverage this weakness to brute-force the limited seed space offline, thereby reconstructing active passwordless login tokens. Successful exploitation allows the attacker to authenticate as any targeted user, including administrators, without a password, as the plugin directly calls <code>wp_set_auth_cookie()</code> and bypasses standard authentication and lockout mechanisms. Exploitation requires a valid, unexpired passwordless link to exist for the target, and knowledge or guesswork of the numeric user ID.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies a WordPress site utilizing the vulnerable DoLogin Security plugin (version &lt;= 4.3).</li>
<li>The attacker identifies a target user (e.g., administrator) and obtains a legitimate, unexpired passwordless login link that was previously generated for this user. This link contains a numeric user ID.</li>
<li>The attacker extracts the numeric user ID from the <code>?dologin=&lt;id&gt;.&lt;hash&gt;</code> parameter of the observed link.</li>
<li>The attacker performs an offline brute-force attack against the <code>mt_srand()</code> seed space (approximately 10^6 candidates) to reconstruct the <code>32-character magic-link token</code> (<code>&lt;hash&gt;</code>) corresponding to the target user and link generation time.</li>
<li>The attacker crafts a malicious GET request to the WordPress site, incorporating the target numeric user ID and the successfully reconstructed token in the <code>?dologin=&lt;id&gt;.&lt;reconstructed_hash&gt;</code> parameter.</li>
<li>The vulnerable <code>Pswdless::try_login()</code> function, registered on the unauthenticated <code>init</code> hook, receives and processes this request, comparing the supplied token.</li>
<li>Upon successful verification (due to the reconstructed token), the plugin directly invokes <code>wp_set_auth_cookie()</code>, establishing an authenticated session for the attacker as the target user, bypassing standard <code>wp_authenticate()</code> and any lockout mechanisms.</li>
<li>The attacker gains full control over the WordPress site if the targeted user possessed administrative privileges.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2026-14495 grants unauthenticated attackers complete administrative control over affected WordPress websites. This bypasses all authentication safeguards, allowing attackers to log in as any user, including administrators, without requiring a password. The direct call to <code>wp_set_auth_cookie()</code> means that typical login security measures, such as brute-force detection and account lockouts, are bypassed. Consequences include full data exfiltration, website defacement, arbitrary code execution via plugin/theme modifications, introduction of malware, and complete compromise of the web server.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch CVE-2026-14495</strong> immediately by updating the DoLogin Security plugin to a version greater than 4.3 or to the latest available version as provided by the vendor.</li>
<li><strong>Review web server access logs</strong> for unusual or repeated GET requests containing the <code>dologin</code> parameter, specifically targeting administrator user IDs.</li>
<li><strong>Implement web application firewall (WAF)</strong> rules to monitor and potentially block requests attempting to exploit CVE-2026-14495, though specific patterns might be difficult to distinguish from legitimate use.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>wordpress</category><category>plugin</category><category>authentication-bypass</category><category>web-exploitation</category><category>cve</category></item></channel></rss>