Critical (9.8)

CVE-2025-15027

The JAY Login & Register plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.6.03. This is due to the plugin allowing a user to update arbitrary user met...

CVSS Score 9.8

Overview

A critical security vulnerability has been discovered in the JAY Login & Register plugin for WordPress. This flaw allows any visitor to your website, without needing a password or account, to grant themselves full administrator privileges, taking complete control of the site.

Vulnerability Explained

In simple terms, the plugin contains a special function designed to help users register or update their profiles. Due to insufficient security checks, this function fails to verify who is making the request or what they are allowed to change. An attacker can send a crafted request to this function, targeting any user on the site—including the default administrator. By manipulating this request, they can overwrite the target account’s data, such as their user role, elevating the attacker’s access to the highest level.

Potential Impact

The impact of this vulnerability is severe. A successful exploit results in a complete site takeover. An attacker with administrator privileges can:

  • Deface the website by changing content and themes.
  • Steal sensitive customer data, user information, or proprietary content.
  • Install backdoors or malicious plugins to maintain access even after the vulnerability is patched.
  • Use the server to launch attacks on other systems or distribute malware. Given that exploitation requires no prior authentication, every unpatched website running this plugin is at immediate and significant risk.

Remediation and Mitigation Steps

Immediate action is required to secure affected websites.

  1. Update Immediately: The most critical step is to update the JAY Login & Register plugin to the latest available version (2.6.04 or higher) released by the developer. This update contains the necessary patch.
  2. If an Update is Not Available: If a patched version is not yet available for your setup, you must disable the plugin immediately via your WordPress admin panel or by renaming its folder via FTP/SFTP. Be aware that this may break site functionality related to user login and registration.
  3. Post-Exploitation Checks: If you suspect a compromise, you must conduct a thorough security audit. Review all administrator accounts for unauthorized changes, scan for unknown plugins or files, and consider engaging a security professional. Restoring from a known-clean backup taken prior to any suspected breach is strongly advised.
  4. General Best Practice: Always keep all WordPress plugins, themes, and the core itself updated to their latest stable versions to minimize exposure to known vulnerabilities.