Plataforma
wordpress
Componente
jay-login-register
Corregido en
2.6.04
CVE-2025-15100 describes a Privilege Escalation vulnerability within the JAY Login & Register plugin for WordPress. An authenticated attacker with Subscriber access or higher can exploit this flaw to gain administrator privileges. This vulnerability impacts versions 0.0.0 through 2.6.03 of the plugin. A patch has been released in version 2.6.04.
This vulnerability allows an authenticated attacker, possessing only Subscriber-level access or higher, to escalate their privileges to that of an administrator. This grants the attacker complete control over the WordPress site, including the ability to install malicious plugins, modify content, and access sensitive data. The impact is significant, as it effectively compromises the entire WordPress installation. Successful exploitation could lead to data breaches, website defacement, and complete system takeover. The ease of exploitation, requiring only authenticated access, increases the likelihood of widespread attacks.
CVE-2025-15100 was published on 2026-02-08. Currently, there are no publicly available proof-of-concept exploits. The EPSS score is likely to be medium, given the relatively straightforward nature of the exploit and the widespread use of WordPress plugins. Monitor WordPress security forums and vulnerability databases for any emerging exploitation attempts.
WordPress websites utilizing the JAY Login & Register plugin, particularly those running older versions (0.0.0–2.6.03), are at significant risk. Shared hosting environments where plugin updates are not consistently managed are especially vulnerable, as are sites with weak password policies allowing easy compromise of Subscriber accounts.
• wordpress / composer / npm:
grep -r 'jay_panel_ajax_update_profile' /var/www/html/wp-content/plugins/jay-login-register/• wordpress / composer / npm:
wp plugin list --status=active | grep 'jay-login-register'• wordpress / composer / npm:
wp plugin version jay-login-registerdisclosure
Estado del Exploit
EPSS
0.02% (5% percentil)
CISA SSVC
Vector CVSS
The primary mitigation is to immediately upgrade the JAY Login & Register plugin to version 2.6.04 or later. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the 'jaypanelajaxupdateprofile' function. This can be achieved by modifying the plugin's code to implement stricter access controls or by using a WordPress security plugin to block access to the vulnerable endpoint. After upgrading, confirm the fix by attempting to escalate privileges with a Subscriber-level user account; the attempt should fail.
Actualizar a la versión 2.6.04, o una versión parcheada más reciente
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2025-15100 is a vulnerability in the JAY Login & Register WordPress plugin allowing authenticated attackers to elevate privileges to administrator level. It affects versions 0.0.0–2.6.03 and has a CVSS score of 8.8 (HIGH).
You are affected if your WordPress site uses the JAY Login & Register plugin and is running version 2.6.03 or earlier. Check your plugin version immediately.
Upgrade the JAY Login & Register plugin to version 2.6.04 or later. If an upgrade is not immediately possible, consider temporary workarounds like restricting access to the vulnerable function.
As of now, there are no publicly known active exploitation campaigns for CVE-2025-15100, but the vulnerability's ease of exploitation warrants vigilance.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information regarding CVE-2025-15100.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.