Plattform
wordpress
Komponente
jay-login-register
Behoben in
2.6.04
CVE-2025-15100 describes a Privilege Escalation vulnerability within the JAY Login & Register plugin for WordPress. An authenticated attacker with Subscriber access or higher can exploit this flaw to gain administrator privileges. This vulnerability impacts versions 0.0.0 through 2.6.03 of the plugin. A patch has been released in version 2.6.04.
This vulnerability allows authenticated users with Subscriber access or higher to escalate their privileges to administrator. An attacker exploiting this flaw could gain full control over the WordPress site, including the ability to install malicious plugins, modify content, and access sensitive data. The potential impact includes data breaches, website defacement, and complete compromise of the WordPress installation. This is particularly concerning for sites with sensitive user data or critical business functions.
This vulnerability was publicly disclosed on 2026-02-08. There are currently no known public exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog at the time of writing. The ease of exploitation, combined with the plugin's popularity, suggests a potential for future exploitation attempts.
WordPress websites utilizing the JAY Login & Register plugin, particularly those running older versions (0.0.0–2.6.03), are at significant risk. Shared hosting environments where plugin updates are not consistently managed are especially vulnerable, as are sites with weak password policies allowing easy compromise of Subscriber accounts.
• wordpress / composer / npm:
grep -r 'jay_panel_ajax_update_profile' /var/www/html/wp-content/plugins/jay-login-register/• wordpress / composer / npm:
wp plugin list --status=active | grep 'jay-login-register'• wordpress / composer / npm:
wp plugin version jay-login-registerdisclosure
Exploit-Status
EPSS
0.02% (5% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to immediately upgrade the JAY Login & Register plugin to version 2.6.04 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider restricting access to the 'jaypanelajaxupdateprofile' endpoint using a WordPress firewall or security plugin. Review user roles and permissions to ensure that only authorized users have access to administrative functions. Regularly audit user activity for suspicious behavior.
Aktualisieren Sie auf Version 2.6.04 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-15100 is a vulnerability in the JAY Login & Register WordPress plugin allowing authenticated attackers to elevate privileges to administrator level. It affects versions 0.0.0–2.6.03 and has a CVSS score of 8.8 (HIGH).
You are affected if your WordPress site uses the JAY Login & Register plugin and is running version 2.6.03 or earlier. Check your plugin version immediately.
Upgrade the JAY Login & Register plugin to version 2.6.04 or later. If an upgrade is not immediately possible, consider temporary workarounds like restricting access to the vulnerable function.
As of now, there are no publicly known active exploitation campaigns for CVE-2025-15100, but the vulnerability's ease of exploitation warrants vigilance.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information regarding CVE-2025-15100.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.