Platform
wordpress
Component
jay-login-register
Fixed in
2.6.04
CVE-2025-15027 represents a critical Privilege Escalation vulnerability discovered in the JAY Login & Register plugin for WordPress. This flaw allows unauthenticated attackers to gain administrator privileges, effectively compromising the entire WordPress site. The vulnerability affects versions from 0.0.0 through 2.6.03, but a patch is available in version 2.6.04.
The impact of this vulnerability is severe. An attacker exploiting CVE-2025-15027 can gain complete control over a WordPress site. This includes the ability to modify content, install malicious plugins, steal sensitive data (user credentials, customer information, financial data), and even deface the website. The attacker could also use the compromised site as a launchpad for further attacks against other systems on the network, leading to a significant blast radius. This vulnerability shares similarities with other privilege escalation flaws where improper access controls allow unauthorized users to bypass security measures.
CVE-2025-15027 was published on 2026-02-08. Severity is currently assessed as CRITICAL (CVSS 9.8). Public proof-of-concept (POC) code is likely to emerge given the ease of exploitation and the plugin's popularity. Monitor security advisories and threat intelligence feeds for reports of active exploitation campaigns. The vulnerability's simplicity suggests a high probability of exploitation.
Exploit Status
EPSS
0.05% (16% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-15027 is to immediately upgrade the JAY Login & Register plugin to version 2.6.04 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. As a short-term workaround, implement strict access controls and monitor user activity for suspicious behavior. Review WordPress user roles and permissions to ensure they are appropriately configured. After upgrading, verify the fix by attempting to create a new user account without authentication and confirming that administrator privileges cannot be assigned.
Update to version 2.6.04, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-15027 is a critical vulnerability in the JAY Login & Register WordPress plugin allowing unauthenticated users to gain administrator privileges. This can lead to full site compromise.
You are affected if your WordPress site uses the JAY Login & Register plugin and is running version 2.6.03 or earlier. Check your plugin version immediately.
Upgrade the JAY Login & Register plugin to version 2.6.04 or later. If immediate upgrade is not possible, disable the plugin temporarily.
While no active exploitation has been confirmed, the vulnerability's simplicity suggests a high probability of exploitation, and monitoring is recommended.
Refer to the official JAY Login & Register plugin website or WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.