Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

CVE-2026-14495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in wpdo5ea DoLogin Security

0
High
VulnerabilityCVE-2026-14495cvecve-2026-14495cwe-338
Published: 07/08/2026 (07/08/2026, 05:34:07 UTC)
Source: CVE Database V5
Vendor/Project: wpdo5ea
Product: DoLogin Security

Description

The DoLogin Security plugin for WordPress is vulnerable to Authentication Bypass via Insufficient Randomness in all versions up to, and including, 4.3. The vulnerability exists because `dologin\s::rrand()` seeds the Mersenne Twister with `mt_srand((double) microtime() * 1000000)` — discarding the integer-seconds component of `microtime()` and constraining the seed to a range of approximately 10^6 values (~20 bits of entropy) — after which every character of the 32-character magic-link token is drawn sequentially with `mt_rand()`, making the entire token a deterministic function of that seed. Because `Pswdless::try_login()` is registered on the unauthenticated `init` hook, resolves the target account by the auto-increment numeric ID embedded in the `?dologin=<id>.<hash>` parameter, performs the hash comparison using a non-constant-time `!=` operator, and then calls `wp_set_auth_cookie()` directly — never passing through `wp_authenticate()` and therefore never triggering the plugin's own `Auth::_has_login_err()` lockout — an unauthenticated attacker can brute-force the ~10^6-candidate seed space to reconstruct an active passwordless login token and authenticate as any targeted user, including administrators, without a password. Exploitation requires that a valid, unexpired passwordless login link (active for up to 7 days) exists for the target account at the time of the attack, and that the numeric link ID is known or guessable from the auto-increment primary key.

CVSS v3.1

Score 8.8high

Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected software

Affected versions
<=4.3

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/08/2026, 05:58:29 UTC

Technical Analysis

CVE-2026-14495 describes an authentication bypass vulnerability in the DoLogin Security WordPress plugin (versions up to 4.3). The vulnerability arises from insufficient randomness in the generation of passwordless login tokens. The plugin seeds the Mersenne Twister PRNG with a value derived from microtime's fractional seconds only, resulting in approximately 20 bits of entropy. The 32-character magic-link token is then generated deterministically from this seed. Because the login function bypasses standard authentication checks and lockout mechanisms, an attacker can brute-force the limited seed space (~10^6 possibilities) to reconstruct a valid token and authenticate as any user, including administrators, if a valid unexpired login link exists and the numeric ID is known or guessable.

Potential Impact

Successful exploitation allows an unauthenticated attacker to bypass authentication and gain access to any targeted user account, including administrator accounts, without needing a password. This compromises confidentiality, integrity, and availability of the affected WordPress site. The attack requires a valid, unexpired passwordless login link and knowledge or guessability of the numeric link ID. The vulnerability can lead to full site compromise.

Mitigation Recommendations

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should consider disabling the passwordless login feature or the DoLogin Security plugin entirely to prevent exploitation. Monitoring for suspicious login activity related to passwordless tokens is advised. Avoid exposing or guessing numeric link IDs. Follow vendor updates closely for an official fix.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Data Version
5.2
Assigner Short Name
Wordfence
Date Reserved
2026-07-02T17:42:28.811Z
Cvss Version
3.1
State
PUBLISHED
Remediation Level
null

Threat ID: 6a4de42ec9d9e3dbe38c3aba

Added to database: 07/08/2026, 05:46:22 UTC

Last enriched: 07/08/2026, 05:58:29 UTC

Last updated: 07/08/2026, 10:40:58 UTC

Views: 9

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses