CVE-2025-1717: CWE-288 Authentication Bypass Using an Alternate Path or Channel in pluginly Login Me Now – Passwordless, Magic Link, OTP & Social Login for WordPress
The Login Me Now plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.7.2. This is due to insecure authentication based on an arbitrary transient name in the 'AutoLogin::listen()' function. This makes it possible for unauthenticated attackers to log in an existing user on the site, even an administrator. Note: this vulnerability requires using a transient name and value from another software, so the plugin is not inherently vulnerable on it's own.
AI Analysis
Technical Summary
The Login Me Now plugin for WordPress contains an authentication bypass vulnerability (CWE-288) due to insecure handling of transient names in the 'AutoLogin::listen()' function. This flaw allows unauthenticated attackers to bypass authentication and log in as any user on the site, including administrators, if they can supply a transient name and value originating from another software. The vulnerability affects versions up to 1.7.2. No official patch or remediation has been confirmed yet.
Potential Impact
Successful exploitation enables unauthenticated attackers to gain unauthorized access to user accounts, including administrative accounts, potentially leading to full site compromise. The vulnerability impacts confidentiality, integrity, and availability of the affected WordPress site. However, exploitation requires specific conditions involving transient data from other software, limiting the vulnerability's standalone exploitability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should monitor vendor communications for updates. Given the exploitation requires transient data from other software, review and restrict interactions with other plugins or software that may influence transient values used by Login Me Now. Avoid using the affected plugin version in high-risk environments until a fix is available.
CVE-2025-1717: CWE-288 Authentication Bypass Using an Alternate Path or Channel in pluginly Login Me Now – Passwordless, Magic Link, OTP & Social Login for WordPress
Description
The Login Me Now plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.7.2. This is due to insecure authentication based on an arbitrary transient name in the 'AutoLogin::listen()' function. This makes it possible for unauthenticated attackers to log in an existing user on the site, even an administrator. Note: this vulnerability requires using a transient name and value from another software, so the plugin is not inherently vulnerable on it's own.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Login Me Now plugin for WordPress contains an authentication bypass vulnerability (CWE-288) due to insecure handling of transient names in the 'AutoLogin::listen()' function. This flaw allows unauthenticated attackers to bypass authentication and log in as any user on the site, including administrators, if they can supply a transient name and value originating from another software. The vulnerability affects versions up to 1.7.2. No official patch or remediation has been confirmed yet.
Potential Impact
Successful exploitation enables unauthenticated attackers to gain unauthorized access to user accounts, including administrative accounts, potentially leading to full site compromise. The vulnerability impacts confidentiality, integrity, and availability of the affected WordPress site. However, exploitation requires specific conditions involving transient data from other software, limiting the vulnerability's standalone exploitability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should monitor vendor communications for updates. Given the exploitation requires transient data from other software, review and restrict interactions with other plugins or software that may influence transient values used by Login Me Now. Avoid using the affected plugin version in high-risk environments until a fix is available.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-02-26T15:43:02.736Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6b17b7ef31ef0b54e0bf
Added to database: 2/25/2026, 9:35:19 PM
Last enriched: 4/9/2026, 10:04:59 AM
Last updated: 4/11/2026, 7:11:41 PM
Views: 28
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.