The DoLogin Security plugin for WordPress is vulnerable to Authentication Bypass via Insufficient Randomness in all versions up to, and including, 4.3. The vulnerability exists because `dologin\s::rrand()` seeds the Mersenne Twister with `mt_srand((double) microtime() * 1000000)` — discarding the integer-seconds component of `microtime()` and constraining the seed to a range of approximately 10^6 values (~20 bits of entropy) — after which every character of the 32-character magic-link token is drawn sequentially with `mt_rand()`, making the entire token a deterministic function of that seed. Because `Pswdless::try_login()` is registered on the unauthenticated `init` hook, resolves the target account by the auto-increment numeric ID embedded in the `?dologin=<id>.<hash>` parameter, performs the hash comparison using a non-constant-time `!=` operator, and then calls `wp_set_auth_cookie()` directly — never passing through `wp_authenticate()` and therefore never triggering the plugin's own
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
The DoLogin Security plugin for WordPress versions up to 4.3 contains a critical authentication bypass vulnerability stemming from insufficient entropy in magic-link token generation. The vulnerability exploits the `rrand()` function, which seeds PHP's Mersenne Twister with only microsecond-precision values (~20 bits of entropy) rather than cryptographically secure random sources. This allows attackers to predict or brute-force the 32-character authentication tokens used for passwordless login, effectively bypassing the plugin's primary security mechanism. Organizations using this plugin for WordPress authentication are at immediate risk of unauthorized account access, as threat actors can forge valid magic links without credentials.
While this CVE does not map to specific MITRE ATT&CK techniques, Casky's security skills powered by Claude AI would detect the underlying attack patterns associated with credential access and initial access exploitation. A practitioner reviewing Casky findings would identify indicators including: weak cryptographic implementations in authentication workflows, predictable token generation patterns, and brute-force attack feasibility against magic-link endpoints. Claude's extended reasoning capabilities would correlate these findings with CWE-338 (Use of Cryptographically Weak Pseudo-Random Number Generator) to reveal how attackers could systematically forge authentication tokens by replaying microtime values or enumerating the constrained seed space. Practitioners would see detection patterns flagging authentication token generation processes that rely on time-based seeding rather than `/dev/urandom` or `random_bytes()`, enabling proactive remediation before exploitation.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-14495. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation