Plattform
wordpress
Komponente
jay-login-register
Behoben in
2.6.04
CVE-2025-15027 represents a critical Privilege Escalation vulnerability discovered in the JAY Login & Register plugin for WordPress. This flaw allows unauthenticated attackers to gain administrator privileges, effectively compromising the entire WordPress site. The vulnerability affects versions from 0.0.0 through 2.6.03, but a patch is available in version 2.6.04.
The impact of this vulnerability is severe. Successful exploitation allows an attacker to bypass authentication and directly assume the role of a WordPress administrator. This grants them complete control over the website, including the ability to modify content, install malicious plugins, access sensitive data (user credentials, customer information, financial records), and potentially pivot to other systems on the network. The attacker could deface the website, steal data, or use the compromised site to launch further attacks. Given the widespread use of WordPress and the plugin's functionality, this vulnerability poses a significant risk to a large number of websites.
This vulnerability was publicly disclosed on 2026-02-08. No public proof-of-concept (PoC) code has been released at the time of writing, but the ease of exploitation makes it likely that one will emerge. The vulnerability's criticality and the plugin's popularity suggest a high probability of exploitation. It is not currently listed on the CISA KEV catalog.
Exploit-Status
EPSS
0.05% (16% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to immediately upgrade the JAY Login & Register plugin to version 2.6.04 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to prevent exploitation. While a direct WAF rule is difficult to implement, monitoring for unusual user creation or modification of user meta data via AJAX requests to the 'jayloginregisterajaxcreatefinaluser' endpoint can provide early detection. Review WordPress user roles and permissions to ensure least privilege is enforced.
Aktualisieren Sie auf Version 2.6.04 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-15027 is a critical vulnerability in the JAY Login & Register WordPress plugin allowing unauthenticated users to gain administrator privileges. This can lead to full site compromise.
You are affected if your WordPress site uses the JAY Login & Register plugin and is running version 2.6.03 or earlier. Check your plugin version immediately.
Upgrade the JAY Login & Register plugin to version 2.6.04 or later. If immediate upgrade is not possible, disable the plugin temporarily.
While no active exploitation has been confirmed, the vulnerability's simplicity suggests a high probability of exploitation, and monitoring is recommended.
Refer to the official JAY Login & Register plugin website or WordPress plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.