Temporary Login Without Password < 1.7.1 - Subscriber+ Plugin's Settings Update

Any logged-in user, including subscribers with minimal privileges, can update the plugin's settings because the update handler lacks authorization checks [CWE-863] [ref_id=1]. An attacker can craft a request that modifies plugin settings and, because there is no CSRF protection, could also trick a higher-privileged user into unknowingly submitting the change [ref_id=1]. The only precondition is being an authenticated WordPress user.

The plugin's settings update functionality lacks both authorization and CSRF checks. The advisory does not specify the exact file or function names, but the vulnerability affects the settings-update handler in the Temporary Login Without Password plugin before version 1.7.1 [ref_id=1].

The advisory states the vulnerability is fixed in version 1.7.1 but does not include a patch diff [ref_id=1]. The remediation would require adding capability checks (e.g., `current_user_can('manage_options')`) to verify the user has administrative privileges before processing settings updates, and adding a nonce check to prevent CSRF attacks [ref_id=1].