Temporary Login WordPress Plugin Authentication Bypass Vulnerability

A vulnerability allowing authentication bypass has been identified in the Temporary Login plugin for WordPress, affecting versions through 1.0.0. The issue arises from inadequate input validation in the 'maybe_login_temporary_user()' function, which does not ensure that the 'temp-login-token' GET parameter is a scalar string before processing. When the parameter is sent as an array, it bypasses PHP's empty() check, causing 'sanitize_key()' to return an empty string. This empty string is then used as the meta_value in a user query. WordPress disregards empty meta_values, returning all users associated with the '_temporary_login_token' meta_key. This flaw enables unauthenticated attackers to log in as any active temporary login user by sending a single crafted GET request.

Impact

Exploitation of this vulnerability allows unauthenticated attackers to authenticate as any active temporary login user, potentially leading to account takeover.

Reproduction

To reproduce this vulnerability, send a GET request to a WordPress site with the Temporary Login plugin installed, including the 'temp-login-token' parameter as an array. The request will bypass the token validation, allowing access as a temporary login user.

Remediation

Users are advised to update the Temporary Login plugin to version 1.1.0 or later.