PatchSiren cyber security CVE debrief
CVE-2026-14495 wpdo5ea CVE debrief
The DoLogin Security plugin for WordPress is vulnerable to Authentication Bypass via Insufficient Randomness in all versions up to, and including, 4.3. The vulnerability exists because `dologin::rrand()` seeds the Mersenne Twister with `mt_srand((double) microtime() * 1000000)` — discarding the integer-seconds component of `microtime()` and constraining the seed to a range of approximately 10^6 values (~20 bits of entropy) — after which every character of the 32-character magic-link token is drawn sequentially with `mt_rand()`, making the entire token a deterministic function of that seed.
- Vendor
- wpdo5ea
- Product
- DoLogin Security
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-08
- Original CVE updated
- 2026-07-08
- Advisory published
- 2026-07-08
- Advisory updated
- 2026-07-08
Who should care
Administrators and users of the DoLogin Security plugin for WordPress should be aware of this vulnerability and take immediate action to protect their sites. This includes updating the plugin to the latest version, using a Web Application Firewall (WAF) to detect and prevent attacks, monitoring the WordPress site for suspicious activity, using strong passwords and enabling two-factor authentication, and limiting login attempts and implementing rate limiting.
Technical summary
The DoLogin Security plugin for WordPress is vulnerable to Authentication Bypass via Insufficient Randomness in all versions up to, and including, 4.3. The vulnerability exists because `dologin::rrand()` seeds the Mersenne Twister with `mt_srand((double) microtime() * 1000000)` — discarding the integer-seconds component of `microtime()` and constraining the seed to a range of approximately 10^6 values (~20 bits of entropy) — after which every character of the 32-character magic-link token is drawn sequentially with `mt_rand()`, making the entire token a deterministic function of that seed. Because `Pswdless::try_login()` is registered on the unauthenticated `init` hook, resolves the target account by the auto-increment numeric ID embedded in the `?dologin=<id>.<hash>` parameter, performs the hash comparison using a non-constant-time `!=` operator, and then calls `wp_set_auth_cookie()` directly — never passing through `wp_authenticate()` and therefore never triggering the plugin's own `Auth::_has_login_err()` lockout — an unauthenticated attacker can brute-force the ~10^6-candidate seed space to reconstruct an active passwordless login token and authenticate as any targeted user, including administrators, without a password.
Defensive priority
High
Recommended defensive actions
- Update the DoLogin Security plugin to the latest version
- Use a Web Application Firewall (WAF) to detect and prevent attacks
- Monitor your WordPress site for suspicious activity
- Use strong passwords and enable two-factor authentication
- Limit login attempts and implement rate limiting
Evidence notes
The vulnerability was reported by [email protected] and is described in detail on the Wordfence website. The vulnerability exists because `dologin::rrand()` seeds the Mersenne Twister with `mt_srand((double) microtime() * 1000000)` — discarding the integer-seconds component of `microtime()` and constraining the seed to a range of approximately 10^6 values (~20 bits of entropy) — after which every character of the 32-character magic-link token is drawn sequentially with `mt_rand()`, making the entire token a deterministic function of that seed. Evidence is limited, and defenders should verify the vulnerability's existence and scope, and check for any additional information from the vendor or other sources.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T06:16:22.443Z and has not been modified since then.