CVE-2025-1717

HIGH

Login Me Now < 1.7.2 - Unauthenticated Authentication Bypass via Arbitrary Transient Name

Title source: llm

Description

The Login Me Now plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.7.2. This is due to insecure authentication based on an arbitrary transient name in the 'AutoLogin::listen()' function. This makes it possible for unauthenticated attackers to log in an existing user on the site, even an administrator. Note: this vulnerability requires using a transient name and value from another software, so the plugin is not inherently vulnerable on it's own.

References (3)

Core 3

Core References

https://plugins.trac.wordpress.org/changeset/3247924/login-me-now

Product

https://plugins.trac.wordpress.org/browser/login-me-now/tags/1.7.2/app/Logins/BrowserTokenLogin/AutoLogin.php#L24

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/fc689622-50d6-47c4-a5f6-0314b1a207c9?source=cve

Scores

CVSS v3 8.1

EPSS 0.0054

EPSS Percentile 41.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-288 CWE-306

Status published

Products (2)

pluginly/Login Me Now – Passwordless, Magic Link, OTP & Social Login for WordPress < 1.7.2

pluginly/login_me_now < 1.7.2

Published Feb 27, 2025

Tracked Since Feb 18, 2026