JAY Login & Register <= 2.6.03 - 通过 jay_login_register_ajax_create_final_user 实现未认证权限提升
平台
wordpress
组件
jay-login-register
修复版本
2.6.04
CVE-2025-15027 represents a critical Privilege Escalation vulnerability discovered in the JAY Login & Register plugin for WordPress. This flaw allows unauthenticated attackers to gain administrator privileges, effectively compromising the entire WordPress site. The vulnerability affects versions from 0.0.0 through 2.6.03, but a patch is available in version 2.6.04.
检测此 CVE 是否影响你的项目
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。
影响与攻击场景翻译中…
The impact of this vulnerability is severe. An attacker exploiting CVE-2025-15027 can gain complete control over a WordPress site. This includes the ability to modify content, install malicious plugins, steal sensitive data (user credentials, customer information, financial data), and even deface the website. The attacker could also use the compromised site as a launchpad for further attacks against other systems on the network, leading to a significant blast radius. This vulnerability shares similarities with other privilege escalation flaws where improper access controls allow unauthorized users to bypass security measures.
利用背景翻译中…
CVE-2025-15027 was published on 2026-02-08. Severity is currently assessed as CRITICAL (CVSS 9.8). Public proof-of-concept (POC) code is likely to emerge given the ease of exploitation and the plugin's popularity. Monitor security advisories and threat intelligence feeds for reports of active exploitation campaigns. The vulnerability's simplicity suggests a high probability of exploitation.
威胁情报
漏洞利用状态
EPSS
0.05% (16% 百分位)
CISA SSVC
CVSS 向量
这些指标意味着什么?
- Attack Vector
- 网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
- Attack Complexity
- 低 — 无需特殊条件,可以稳定地利用漏洞。
- Privileges Required
- 无 — 无需认证,无需凭证即可利用。
- User Interaction
- 无 — 攻击自动且无声,受害者无需任何操作。
- Scope
- 未改变 — 影响仅限于脆弱组件本身。
- Confidentiality
- 高 — 完全丧失机密性,攻击者可读取所有数据。
- Integrity
- 高 — 攻击者可写入、修改或删除任何数据。
- Availability
- 高 — 完全崩溃或资源耗尽,完全拒绝服务。
受影响的软件
软件包信息
- 活跃安装数
- 60小众
- 插件评分
- 5.0
- 需要WordPress版本
- 5.5+
- 兼容至
- 6.9.4
弱点分类 (CWE)
时间线
- 已保留
- 发布日期
- 修改日期
- EPSS 更新日期
缓解措施和替代方案翻译中…
The primary mitigation for CVE-2025-15027 is to immediately upgrade the JAY Login & Register plugin to version 2.6.04 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. As a short-term workaround, implement strict access controls and monitor user activity for suspicious behavior. Review WordPress user roles and permissions to ensure they are appropriately configured. After upgrading, verify the fix by attempting to create a new user account without authentication and confirming that administrator privileges cannot be assigned.
修复方法
更新至 2.6.04 版本,或更新的修复版本
CVE 安全通讯
漏洞分析和关键警报直接发送到您的邮箱。
常见问题翻译中…
What is CVE-2025-15027 — Privilege Escalation in JAY Login & Register?
CVE-2025-15027 is a critical vulnerability in the JAY Login & Register WordPress plugin allowing unauthenticated users to gain administrator privileges. This can lead to full site compromise.
Am I affected by CVE-2025-15027 in JAY Login & Register?
You are affected if your WordPress site uses the JAY Login & Register plugin and is running version 2.6.03 or earlier. Check your plugin version immediately.
How do I fix CVE-2025-15027 in JAY Login & Register?
Upgrade the JAY Login & Register plugin to version 2.6.04 or later. If immediate upgrade is not possible, disable the plugin temporarily.
Is CVE-2025-15027 being actively exploited?
While no active exploitation has been confirmed, the vulnerability's simplicity suggests a high probability of exploitation, and monitoring is recommended.
Where can I find the official JAY Login & Register advisory for CVE-2025-15027?
Refer to the official JAY Login & Register plugin website or WordPress plugin repository for the latest advisory and update information.