PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-14495 wpdo5ea CVE debrief

The DoLogin Security plugin for WordPress is vulnerable to Authentication Bypass via Insufficient Randomness in all versions up to, and including, 4.3. The vulnerability exists because `dologin::rrand()` seeds the Mersenne Twister with `mt_srand((double) microtime() * 1000000)` — discarding the integer-seconds component of `microtime()` and constraining the seed to a range of approximately 10^6 values (~20 bits of entropy) — after which every character of the 32-character magic-link token is drawn sequentially with `mt_rand()`, making the entire token a deterministic function of that seed.

Vendor
wpdo5ea
Product
DoLogin Security
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-08
Original CVE updated
2026-07-08
Advisory published
2026-07-08
Advisory updated
2026-07-08

Who should care

Administrators and users of the DoLogin Security plugin for WordPress should be aware of this vulnerability and take immediate action to protect their sites. This includes updating the plugin to the latest version, using a Web Application Firewall (WAF) to detect and prevent attacks, monitoring the WordPress site for suspicious activity, using strong passwords and enabling two-factor authentication, and limiting login attempts and implementing rate limiting.

Technical summary

The DoLogin Security plugin for WordPress is vulnerable to Authentication Bypass via Insufficient Randomness in all versions up to, and including, 4.3. The vulnerability exists because `dologin::rrand()` seeds the Mersenne Twister with `mt_srand((double) microtime() * 1000000)` — discarding the integer-seconds component of `microtime()` and constraining the seed to a range of approximately 10^6 values (~20 bits of entropy) — after which every character of the 32-character magic-link token is drawn sequentially with `mt_rand()`, making the entire token a deterministic function of that seed. Because `Pswdless::try_login()` is registered on the unauthenticated `init` hook, resolves the target account by the auto-increment numeric ID embedded in the `?dologin=<id>.<hash>` parameter, performs the hash comparison using a non-constant-time `!=` operator, and then calls `wp_set_auth_cookie()` directly — never passing through `wp_authenticate()` and therefore never triggering the plugin's own `Auth::_has_login_err()` lockout — an unauthenticated attacker can brute-force the ~10^6-candidate seed space to reconstruct an active passwordless login token and authenticate as any targeted user, including administrators, without a password.

Defensive priority

High

Recommended defensive actions

  • Update the DoLogin Security plugin to the latest version
  • Use a Web Application Firewall (WAF) to detect and prevent attacks
  • Monitor your WordPress site for suspicious activity
  • Use strong passwords and enable two-factor authentication
  • Limit login attempts and implement rate limiting

Evidence notes

The vulnerability was reported by [email protected] and is described in detail on the Wordfence website. The vulnerability exists because `dologin::rrand()` seeds the Mersenne Twister with `mt_srand((double) microtime() * 1000000)` — discarding the integer-seconds component of `microtime()` and constraining the seed to a range of approximately 10^6 values (~20 bits of entropy) — after which every character of the 32-character magic-link token is drawn sequentially with `mt_rand()`, making the entire token a deterministic function of that seed. Evidence is limited, and defenders should verify the vulnerability's existence and scope, and check for any additional information from the vendor or other sources.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T06:16:22.443Z and has not been modified since then.