Platform
wordpress
Component
jay-login-register
Fixed in
2.6.04
CVE-2025-15100 describes a Privilege Escalation vulnerability within the JAY Login & Register plugin for WordPress. An authenticated attacker with Subscriber access or higher can exploit this flaw to gain administrator privileges. This vulnerability impacts versions 0.0.0 through 2.6.03 of the plugin. A patch has been released in version 2.6.04.
This vulnerability allows an authenticated attacker, possessing only Subscriber-level access or higher, to escalate their privileges to that of an administrator. This grants the attacker complete control over the WordPress site, including the ability to install malicious plugins, modify content, and access sensitive data. The impact is significant, as it effectively compromises the entire WordPress installation. Successful exploitation could lead to data breaches, website defacement, and complete system takeover. The ease of exploitation, requiring only authenticated access, increases the likelihood of widespread attacks.
CVE-2025-15100 was published on 2026-02-08. Currently, there are no publicly available proof-of-concept exploits. The EPSS score is likely to be medium, given the relatively straightforward nature of the exploit and the widespread use of WordPress plugins. Monitor WordPress security forums and vulnerability databases for any emerging exploitation attempts.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade the JAY Login & Register plugin to version 2.6.04 or later. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the 'jaypanelajaxupdateprofile' function. This can be achieved by modifying the plugin's code to implement stricter access controls or by using a WordPress security plugin to block access to the vulnerable endpoint. After upgrading, confirm the fix by attempting to escalate privileges with a Subscriber-level user account; the attempt should fail.
Update to version 2.6.04, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-15100 is a vulnerability in the JAY Login & Register WordPress plugin allowing authenticated attackers to elevate privileges to administrator level. It affects versions 0.0.0–2.6.03 and has a CVSS score of 8.8 (HIGH).
You are affected if your WordPress site uses the JAY Login & Register plugin and is running version 2.6.03 or earlier. Check your plugin version immediately.
Upgrade the JAY Login & Register plugin to version 2.6.04 or later. If an upgrade is not immediately possible, consider temporary workarounds like restricting access to the vulnerable function.
As of now, there are no publicly known active exploitation campaigns for CVE-2025-15100, but the vulnerability's ease of exploitation warrants vigilance.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information regarding CVE-2025-15100.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.