The Temporary Login plugin for WordPress is vulnerable to Authentication Bypass in versions up to and including 1.0.0. This is due to improper input validation in the maybe_login_temporary_user() function, which fails to verify that the 'temp-login-token' GET parameter is a scalar string before processing it. When the parameter is supplied as an array, PHP's empty() check is bypassed and sanitize_key() returns an empty string, which is then passed as the meta_value to get_users(). WordPress ignores an empty meta_value and returns all users matching the meta_key '_temporary_login_token', allowing authentication without a valid token. This makes it possible for unauthenticated attackers to authenticate as any active temporary login user by sending a single crafted GET request.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
The Temporary Login plugin for WordPress (versions up to 1.0.0) contains a critical authentication bypass vulnerability (CVE-2026-7567, CVSS 9.8) stemming from improper input validation in the maybe_login_temporary_user() function. The vulnerability exploits a type confusion flaw where the 'temp-login-token' GET parameter is not validated as a scalar string before processing. When an attacker supplies this parameter as an array instead of a string, PHP's empty() check fails to catch it, sanitize_key() returns an empty string, and this bypasses token verification entirely. Any WordPress site running the vulnerable plugin is at risk, allowing unauthenticated attackers to log in as any user without knowing credentials—a complete compromise of authentication controls.
While this CVE does not map directly to existing MITRE ATT&CK techniques in the current framework, Casky's AI-driven analysis would identify this as an authentication evasion pattern tied to Input Validation failures (CWE-288). Practitioners using Casky would detect attack patterns associated with Credential Access and Initial Access tactics, specifically anomalous login attempts using malformed parameters, unusual token structures in access logs, and successful authentication without corresponding credential submission. The platform's 754 mapped security skills would highlight detection opportunities around PHP type juggling exploits, WordPress authentication function abuse, and suspicious GET parameter manipulation—enabling security teams to create detection rules for array-based parameter injection attempts and monitor for authentication bypass indicators before exploitation occurs in their environments.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-7567. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation