CVE-2025-10299

Name of the Vulnerable Software and Affected Versions WPBifröst versions through 1.0.7

Description The WPBifröst – Instant Passwordless Temporary Login Links plugin for WordPress has an issue that allows authenticated attackers with Subscriber-level access or higher to create new administrative user accounts. This is due to a missing capability check on the ctl create link AJAX action. Attackers can then log in as these newly created administrative users.

Recommendations Update to version 1.0.8.