Authentication Bypass Vulnerability in DoLogin Security Plugin for WordPress
CVE-2026-14495

8.8HIGH

Key Information:

Vendor

WordPress

Vendor
CVE Published:
8 July 2026

What is CVE-2026-14495?

The DoLogin Security plugin for WordPress contains a vulnerability that allows attackers to bypass authentication mechanisms. This occurs due to insufficient randomness during the generation of passwordless login tokens, relying on a predictable seeding method. By exploiting this flaw, an unauthenticated attacker could reconstruct valid login tokens, enabling unauthorized access to user accounts, including those of administrators. An attack requires knowledge of a user's numeric ID and a valid, unexpired passwordless login link, which are often guessable in practice.

Affected Version(s)

DoLogin Security 0 <= 4.3

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

samuel pages chartier
.