CVE-2026-14495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in wpdo5ea DoLogin Security
The DoLogin Security plugin for WordPress is vulnerable to Authentication Bypass via Insufficient Randomness in all versions up to, and including, 4.3. The vulnerability exists because `dologin\s::rrand()` seeds the Mersenne Twister with `mt_srand((double) microtime() * 1000000)` — discarding the integer-seconds component of `microtime()` and constraining the seed to a range of approximately 10^6 values (~20 bits of entropy) — after which every character of the 32-character magic-link token is drawn sequentially with `mt_rand()`, making the entire token a deterministic function of that seed. Because `Pswdless::try_login()` is registered on the unauthenticated `init` hook, resolves the target account by the auto-increment numeric ID embedded in the `?dologin=<id>.<hash>` parameter, performs the hash comparison using a non-constant-time `!=` operator, and then calls `wp_set_auth_cookie()` directly — never passing through `wp_authenticate()` and therefore never triggering the plugin's own `Auth::_has_login_err()` lockout — an unauthenticated attacker can brute-force the ~10^6-candidate seed space to reconstruct an active passwordless login token and authenticate as any targeted user, including administrators, without a password. Exploitation requires that a valid, unexpired passwordless login link (active for up to 7 days) exists for the target account at the time of the attack, and that the numeric link ID is known or guessable from the auto-increment primary key.
AI Analysis
Technical Summary
CVE-2026-14495 describes an authentication bypass vulnerability in the DoLogin Security WordPress plugin (versions up to 4.3). The vulnerability arises from insufficient randomness in the generation of passwordless login tokens. The plugin seeds the Mersenne Twister PRNG with a value derived from microtime's fractional seconds only, resulting in approximately 20 bits of entropy. The 32-character magic-link token is then generated deterministically from this seed. Because the login function bypasses standard authentication checks and lockout mechanisms, an attacker can brute-force the limited seed space (~10^6 possibilities) to reconstruct a valid token and authenticate as any user, including administrators, if a valid unexpired login link exists and the numeric ID is known or guessable.
Potential Impact
Successful exploitation allows an unauthenticated attacker to bypass authentication and gain access to any targeted user account, including administrator accounts, without needing a password. This compromises confidentiality, integrity, and availability of the affected WordPress site. The attack requires a valid, unexpired passwordless login link and knowledge or guessability of the numeric link ID. The vulnerability can lead to full site compromise.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should consider disabling the passwordless login feature or the DoLogin Security plugin entirely to prevent exploitation. Monitoring for suspicious login activity related to passwordless tokens is advised. Avoid exposing or guessing numeric link IDs. Follow vendor updates closely for an official fix.
CVE-2026-14495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in wpdo5ea DoLogin Security
Description
The DoLogin Security plugin for WordPress is vulnerable to Authentication Bypass via Insufficient Randomness in all versions up to, and including, 4.3. The vulnerability exists because `dologin\s::rrand()` seeds the Mersenne Twister with `mt_srand((double) microtime() * 1000000)` — discarding the integer-seconds component of `microtime()` and constraining the seed to a range of approximately 10^6 values (~20 bits of entropy) — after which every character of the 32-character magic-link token is drawn sequentially with `mt_rand()`, making the entire token a deterministic function of that seed. Because `Pswdless::try_login()` is registered on the unauthenticated `init` hook, resolves the target account by the auto-increment numeric ID embedded in the `?dologin=<id>.<hash>` parameter, performs the hash comparison using a non-constant-time `!=` operator, and then calls `wp_set_auth_cookie()` directly — never passing through `wp_authenticate()` and therefore never triggering the plugin's own `Auth::_has_login_err()` lockout — an unauthenticated attacker can brute-force the ~10^6-candidate seed space to reconstruct an active passwordless login token and authenticate as any targeted user, including administrators, without a password. Exploitation requires that a valid, unexpired passwordless login link (active for up to 7 days) exists for the target account at the time of the attack, and that the numeric link ID is known or guessable from the auto-increment primary key.
CVSS v3.1
Score 8.8high
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-14495 describes an authentication bypass vulnerability in the DoLogin Security WordPress plugin (versions up to 4.3). The vulnerability arises from insufficient randomness in the generation of passwordless login tokens. The plugin seeds the Mersenne Twister PRNG with a value derived from microtime's fractional seconds only, resulting in approximately 20 bits of entropy. The 32-character magic-link token is then generated deterministically from this seed. Because the login function bypasses standard authentication checks and lockout mechanisms, an attacker can brute-force the limited seed space (~10^6 possibilities) to reconstruct a valid token and authenticate as any user, including administrators, if a valid unexpired login link exists and the numeric ID is known or guessable.
Potential Impact
Successful exploitation allows an unauthenticated attacker to bypass authentication and gain access to any targeted user account, including administrator accounts, without needing a password. This compromises confidentiality, integrity, and availability of the affected WordPress site. The attack requires a valid, unexpired passwordless login link and knowledge or guessability of the numeric link ID. The vulnerability can lead to full site compromise.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should consider disabling the passwordless login feature or the DoLogin Security plugin entirely to prevent exploitation. Monitoring for suspicious login activity related to passwordless tokens is advised. Avoid exposing or guessing numeric link IDs. Follow vendor updates closely for an official fix.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-07-02T17:42:28.811Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a4de42ec9d9e3dbe38c3aba
Added to database: 07/08/2026, 05:46:22 UTC
Last enriched: 07/08/2026, 05:58:29 UTC
Last updated: 07/08/2026, 10:40:58 UTC
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.