CVE-2025-1717
Login Me Now <= 1.7.2 - Authentication Bypass
CVSS Score
8.1
EPSS Score
0.0%
EPSS Percentile
0th
The Login Me Now plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.7.2. This is due to insecure authentication based on an arbitrary transient name in the 'AutoLogin::listen()' function. This makes it possible for unauthenticated attackers to log in an existing user on the site, even an administrator. Note: this vulnerability requires using a transient name and value from another software, so the plugin is not inherently vulnerable on it's own.
| CWE | CWE-288 |
| Vendor | pluginly |
| Product | login me now – passwordless, magic link, otp & social login for wordpress |
| Published | Feb 27, 2025 |
| Last Updated | Apr 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for pluginly login me now – passwordless, magic link, otp & social login for wordpress
Be the first to know when new high vulnerabilities affecting pluginly login me now – passwordless, magic link, otp & social login for wordpress are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
pluginly / Login Me Now – Passwordless, Magic Link, OTP & Social Login for WordPress
0 ≤ 1.7.2
References
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/fc689622-50d6-47c4-a5f6-0314b1a207c9?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/login-me-now/tags/1.7.2/app/Logins/BrowserTokenLogin/AutoLogin.php#L24 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset/3247924/login-me-now
Credits
István Márton