CVE-2025-15100: HIGH Severity (CVSS 8.8)

Quick Summary

A vulnerability in the JAY Login & Register WordPress plugin allows any logged-in user, even with the lowest 'Subscriber' role, to modify website user data and grant themselves full administrator access.

Who is affected

All WordPress sites using the plugin version 2.6.03 or earlier are affected. An attacker can take complete control of the website.

Recommended fix

Immediately update the JAY Login & Register plugin to a version higher than 2.6.03. If an update is not available, deactivate and remove the plugin.

Technical Description

The JAY Login & Register plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.6.03. This is due to the plugin allowing a user to update arbitrary user meta through the 'jay_panel_ajax_update_profile' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator.

CVSS Details

Attack Vector

NETWORK

Complexity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-269

CVE-2025-15100

Quick Summary

Technical Description

CVSS Details

References