Scan free
HIGHCVE-2025-15100CVSS 8.8

CVE-2025-15100: Privilege Escalation in JAY Login & Register

Platform

wordpress

Component

jay-login-register

Fixed in

2.6.04

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2025-15100 describes a Privilege Escalation vulnerability within the JAY Login & Register plugin for WordPress. An authenticated attacker with Subscriber access or higher can exploit this flaw to gain administrator privileges. This vulnerability impacts versions 0.0.0 through 2.6.03 of the plugin. A patch has been released in version 2.6.04.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

This vulnerability allows an authenticated attacker, possessing only Subscriber-level access or higher, to escalate their privileges to that of an administrator. This grants the attacker complete control over the WordPress site, including the ability to install malicious plugins, modify content, and access sensitive data. The impact is significant, as it effectively compromises the entire WordPress installation. Successful exploitation could lead to data breaches, website defacement, and complete system takeover. The ease of exploitation, requiring only authenticated access, increases the likelihood of widespread attacks.

Exploitation Context

CVE-2025-15100 was published on 2026-02-08. Currently, there are no publicly available proof-of-concept exploits. The EPSS score is likely to be medium, given the relatively straightforward nature of the exploit and the widespread use of WordPress plugins. Monitor WordPress security forums and vulnerability databases for any emerging exploitation attempts.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.02% (5% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H8.8HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentjay-login-register
Vendorwordfence
Affected rangeFixed in
0 – 2.6.03

Package Information

Active installs
60Niche
Plugin rating
5.0
Requires WordPress
5.5+
Compatible up to
6.9.4

Weakness Classification (CWE)

CWE-269

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation is to immediately upgrade the JAY Login & Register plugin to version 2.6.04 or later. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the 'jaypanelajaxupdateprofile' function. This can be achieved by modifying the plugin's code to implement stricter access controls or by using a WordPress security plugin to block access to the vulnerable endpoint. After upgrading, confirm the fix by attempting to escalate privileges with a Subscriber-level user account; the attempt should fail.

How to fix

Update to version 2.6.04, or a newer patched version

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-15100 — Privilege Escalation in JAY Login & Register?

CVE-2025-15100 is a vulnerability in the JAY Login & Register WordPress plugin allowing authenticated attackers to elevate privileges to administrator level. It affects versions 0.0.0–2.6.03 and has a CVSS score of 8.8 (HIGH).

Am I affected by CVE-2025-15100 in JAY Login & Register?

You are affected if your WordPress site uses the JAY Login & Register plugin and is running version 2.6.03 or earlier. Check your plugin version immediately.

How do I fix CVE-2025-15100 in JAY Login & Register?

Upgrade the JAY Login & Register plugin to version 2.6.04 or later. If an upgrade is not immediately possible, consider temporary workarounds like restricting access to the vulnerable function.

Is CVE-2025-15100 being actively exploited?

As of now, there are no publicly known active exploitation campaigns for CVE-2025-15100, but the vulnerability's ease of exploitation warrants vigilance.

Where can I find the official JAY Login & Register advisory for CVE-2025-15100?

Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information regarding CVE-2025-15100.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs