CVE-2025-15027
Privilege Escalation in JAY Login & Register WordPress Plugin
Publication date: 2026-02-08
Last updated on: 2026-02-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jay_login_register | plugin | to 2.6.03 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The JAY Login & Register plugin for WordPress has a vulnerability that allows privilege escalation. Specifically, in all versions up to and including 2.6.03, the plugin permits an unauthenticated attacker to update arbitrary user meta data via the 'jay_login_register_ajax_create_final_user' function.
This means an attacker can elevate their privileges to that of an administrator without needing to be logged in.
How can this vulnerability impact me? :
This vulnerability can have severe impacts because it allows an attacker to gain administrator-level access to a WordPress site using the JAY Login & Register plugin.
- An attacker could take full control of the website.
- They could modify or delete content, install malicious code, or steal sensitive information.
- The integrity, confidentiality, and availability of the website and its data could be compromised.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know