A high-severity privilege escalation vulnerability exists in the "WPBifröst – Instant Passwordless Temporary Login Links" WordPress plugin. This flaw allows any authenticated user, regardless of their permission level, to generate a temporary login link for any account, including an administrator. Successful exploitation could result in a complete compromise of the affected WordPress site.

The vulnerability is a Broken Access Control issue caused by a missing capability check. The plugin's ctl_create_link AJAX function, which is responsible for generating passwordless login links, fails to verify that the user initiating the request has the necessary administrative permissions. A low-privileged authenticated attacker, such as a subscriber, can send a direct request to this AJAX endpoint to create a one-time login link for a high-privileged user (e.g., an administrator). The attacker can then use this link to gain full administrative access to the WordPress site.

This vulnerability is rated as High severity with a CVSS score of 8.8. A successful exploit would grant an attacker complete administrative control over the website. This could lead to severe business consequences, including theft of sensitive user data, financial information, and intellectual property; website defacement causing significant reputational damage; and the use of the compromised server to host malware or launch further attacks against other systems.

Immediate Action: Immediately update the "WPBifröst – Instant Passwordless Temporary Login Links" plugin to the latest patched version provided by the vendor. If the plugin is not essential for business operations, the recommended course of action is to deactivate and delete it entirely to eliminate the attack surface.

Proactive Monitoring: Security teams should review web server access logs for POST requests to /wp-admin/admin-ajax.php containing the parameter action=ctl_create_link. Monitor for such requests originating from non-administrative users. Additionally, audit WordPress security logs for unexpected administrator logins, unusual session activity, or the creation of new, unauthorized administrative accounts.

Compensating Controls: If patching is not immediately feasible, implement a Web Application Firewall (WAF) rule to block or alert on requests to the vulnerable AJAX action (ctl_create_link) from users who are not in the administrator role. Restricting new user registrations or enforcing the principle of least privilege for all user accounts can also help reduce the initial attack surface.

Public Exploit Available: true

Due to the high CVSS score of 8.8 and the ease of exploitation, this vulnerability poses a critical risk to affected organizations. We strongly recommend that administrators take immediate action to apply the vendor-supplied patch by updating the plugin. If the plugin's functionality is not critical, it should be removed immediately. Although this CVE is not currently listed on the CISA KEV catalog, its severity warrants urgent attention to prevent a full site compromise.