CVE-2025-15027
9.8 CRITICALPublished 2026-02-08 · Modified 2026-02-09 · Awaiting Analysis
Quick Summary
A critical flaw in the JAY Login & Register WordPress plugin allows anyone on the internet to instantly become a website administrator. This happens because the plugin's code incorrectly lets users change any account's settings, including their own access level.
Who is affected
All WordPress sites using this plugin up to version 2.6.03 are affected. An unauthenticated attacker can exploit this to take full control of the website.
Recommended fix
Immediately update the JAY Login & Register plugin to a version newer than 2.6.03. If an update is not available, deactivate and remove the plugin as a temporary measure.
Technical Description
The JAY Login & Register plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.6.03. This is due to the plugin allowing a user to update arbitrary user meta through the 'jay_login_register_ajax_create_final_user' function. This makes it possible for unauthenticated attackers to elevate their privileges to that of an administrator.
CVSS Details
Attack Vector
NETWORK
Complexity
LOW
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE
CWE-269