An unauthenticated authentication bypass vulnerability in the Temporary Login WordPress plugin allows attackers to compromise user accounts.

The maybe_login_temporary_user() function improperly handles the temp-login-token parameter, allowing an array input to bypass security checks and return all users associated with the temporary login meta key.

With a CVSS score of 9.8, this flaw allows unauthenticated remote attackers to gain unauthorized access to the WordPress environment. This could lead to full site takeover, data exfiltration, or the modification of site content.

Immediate Action: Update the Temporary Login plugin to the latest version available from the vendor.

Proactive Monitoring: Review WordPress user access logs for unusual login activity or spikes in authentication attempts using temporary login tokens.

Compensating Controls: Use a Web Application Firewall (WAF) to block requests containing array-based inputs for the temp-login-token parameter.

Public Exploit Available: No

Site administrators should update the affected plugin immediately. Given the ease of exploitation, this vulnerability poses a significant risk to the security and integrity of the affected WordPress site.