The Temporary Login WordPress plugin (elemntor) versions up to 1.0.0 contain an authentication bypass vulnerability (CWE-288) due to improper input validation of the 'temp-login-token' GET parameter in the maybe_login_temporary_user() function. When an attacker supplies this parameter as an array, PHP's empty() check is bypassed, and sanitize_key() returns an empty string. WordPress then ignores the empty meta_value and returns all users with the '_temporary_login_token' meta_key, allowing the attacker to authenticate as any active temporary login user without a valid token. This flaw enables unauthenticated attackers to gain unauthorized access by sending a single crafted GET request. The vulnerability has a CVSS 3.1 score of 9.8 (critical) with network attack vector, low attack complexity, no privileges or user interaction required, and full confidentiality, integrity, and availability impact. No patch or official fix has been published yet.

Successful exploitation allows unauthenticated attackers to bypass authentication and gain access as any active temporary login user on the affected WordPress site. This can lead to full compromise of the site, including unauthorized access to sensitive data, modification of content, and potential further attacks. The vulnerability has a critical severity rating with a CVSS score of 9.8, reflecting the high impact on confidentiality, integrity, and availability.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, it is recommended to disable or remove the Temporary Login plugin if possible to prevent exploitation. Monitor official elemntor and WordPress security channels for updates. Avoid exposing the plugin to untrusted networks or users.