CVE-2026-14495
HIGHDoLogin Security <= 4.3 - Unauthenticated Authentication Bypass via Insufficient Randomness via 'dologin' Parameter Weak PRNG Token
CVSS v3
8.8
HIGH
EPSS Score
—
exploit probability
CISA KEV
No
known exploited
Exploitation
—
SSVC status
Description
The DoLogin Security plugin for WordPress is vulnerable to Authentication Bypass via Insufficient Randomness in all versions up to, and including, 4.3. The vulnerability exists because `dologin\s::rrand()` seeds the Mersenne Twister with `mt_srand((double) microtime() * 1000000)` — discarding the integer-seconds component of `microtime()` and constraining the seed to a range of approximately 10^6 values (~20 bits of entropy) — after which every character of the 32-character magic-link token is d
Technical Details
- CVSS v3 Vector
- 3.1
- Published
- 7/8/2026
- Last Modified
- 7/8/2026
Frequently Asked Questions
What is CVE-2026-14495?
The DoLogin Security plugin for WordPress is vulnerable to Authentication Bypass via Insufficient Randomness in all versions up to, and including, 4.3. The vulnerability exists because `dologin\s::rrand()` seeds the Mersenne Twister with `mt_srand((double) microtime() * 1000000)` — discarding the integer-seconds component of `microtime()` and constraining the seed to a range of approximately 10^6 values (~20 bits of entropy) — after which every character of the 32-character magic-link token is d
Is CVE-2026-14495 actively exploited?
Active exploitation of CVE-2026-14495 has not been confirmed. The EPSS score is N/A%, indicating the estimated probability of exploitation in the next 30 days.
What is the CVSS score for CVE-2026-14495?
CVE-2026-14495 has a CVSS v3 base score of 8.8 (HIGH severity), with vector string 3.1.
Is CVE-2026-14495 affecting your environment?
Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.