Plataforma
wordpress
Componente
jay-login-register
Corrigido em
2.6.04
CVE-2025-15027 represents a critical Privilege Escalation vulnerability discovered in the JAY Login & Register plugin for WordPress. This flaw allows unauthenticated attackers to gain administrator privileges, effectively compromising the entire WordPress site. The vulnerability affects versions from 0.0.0 through 2.6.03, but a patch is available in version 2.6.04.
The impact of this vulnerability is severe. An attacker exploiting CVE-2025-15027 can gain complete control over a WordPress site. This includes the ability to modify content, install malicious plugins, steal sensitive data (user credentials, customer information, financial data), and even deface the website. The attacker could also use the compromised site as a launchpad for further attacks against other systems on the network, leading to a significant blast radius. This vulnerability shares similarities with other privilege escalation flaws where improper access controls allow unauthorized users to bypass security measures.
CVE-2025-15027 was published on 2026-02-08. Severity is currently assessed as CRITICAL (CVSS 9.8). Public proof-of-concept (POC) code is likely to emerge given the ease of exploitation and the plugin's popularity. Monitor security advisories and threat intelligence feeds for reports of active exploitation campaigns. The vulnerability's simplicity suggests a high probability of exploitation.
Status do Exploit
EPSS
0.05% (percentil 16%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-15027 is to immediately upgrade the JAY Login & Register plugin to version 2.6.04 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. As a short-term workaround, implement strict access controls and monitor user activity for suspicious behavior. Review WordPress user roles and permissions to ensure they are appropriately configured. After upgrading, verify the fix by attempting to create a new user account without authentication and confirming that administrator privileges cannot be assigned.
Atualize para a versão 2.6.04, ou uma versão corrigida mais recente
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-15027 is a critical vulnerability in the JAY Login & Register WordPress plugin allowing unauthenticated users to gain administrator privileges. This can lead to full site compromise.
You are affected if your WordPress site uses the JAY Login & Register plugin and is running version 2.6.03 or earlier. Check your plugin version immediately.
Upgrade the JAY Login & Register plugin to version 2.6.04 or later. If immediate upgrade is not possible, disable the plugin temporarily.
While no active exploitation has been confirmed, the vulnerability's simplicity suggests a high probability of exploitation, and monitoring is recommended.
Refer to the official JAY Login & Register plugin website or WordPress plugin repository for the latest advisory and update information.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.