CVE-2025-1717

Published Feb 27, 2025

Last updated 24 days ago

CVSS high 8.1

Overview

Description: The Login Me Now plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.7.2. This is due to insecure authentication based on an arbitrary transient name in the 'AutoLogin::listen()' function. This makes it possible for unauthenticated attackers to log in an existing user on the site, even an administrator. Note: this vulnerability requires using a transient name and value from another software, so the plugin is not inherently vulnerable on it's own.
Source: security@wordfence.com
NVD status: Analyzed

Risk scores

CVSS 3.1

Type: Primary
Base score: 8.1
Impact score: 5.9
Exploitability score: 2.2
Vector string: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: HIGH

Weaknesses

security@wordfence.com: CWE-288
nvd@nist.gov: CWE-306

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:pluginly:login_me_now:*:*:*:*:*:wordpress:*:*",
            "vulnerable": true,
            "matchCriteriaId": "B33D8036-17F4-4D22-AF3A-C0FD0C95A9C4",
            "versionEndIncluding": "1.7.2"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

Configurations

References