WordPress Security Bulletin: JAY Login & Register Plugin Vulnerability (CVE-2025-15100)

On this page

Security Alert Summary

The JAY Login & Register plugin for WordPress contains a privilege escalation vulnerability that allows authenticated users with Subscriber-level access or higher to modify arbitrary user meta via an AJAX handler. Successful exploitation can elevate an attacker to administrator privileges.


CVE Details

  • CVE ID: CVE-2025-15100
  • Affected component: JAY Login & Register plugin for WordPress
  • Affected versions: All versions up to, and including, 2.6.03 (as stated in the CVE entry)
  • Published: February 8, 2026 at 2:15:56 AM UTC
  • Last modified: February 8, 2026 at 2:15:56 AM UTC
  • CVSS v3.1 base score: 8.8 — HIGH
  • CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Attack vector / complexity: Network / Low
  • Privileges required: Low (authenticated user with Subscriber-level access or above)
  • User interaction: None
  • Primary impact: Confidentiality: High; Integrity: High; Availability: High
  • Weakness (CWE): CWE-269

Technical Details

According to the CVE entry, the plugin’s AJAX handler jay_panel_ajax_update_profile allows a caller to update arbitrary user meta. Because the handler does not restrict which user meta keys can be modified (or does not enforce sufficient authorization checks), an authenticated user with low privileges can update metadata that controls roles or capabilities, resulting in privilege escalation to administrator.

The vulnerability exists in the plugin code path that processes profile updates via the named AJAX function. The CVE description explicitly attributes the issue to the ability to update arbitrary user meta through jay_panel_ajax_update_profile.


How This Could Impact Your Website

On a multi-user WordPress site, a typical scenario might involve a site owner, internal staff (editors or authors), and external contributors or contractors given Subscriber-level access to post content or manage profiles. An attacker who already has a Subscriber account — which may be assigned to a contractor or contributor — could exploit the described behavior to elevate their account to an administrator.

Practical consequences include unauthorized changes to site settings, modification or deletion of content, and creation of additional administrative accounts. Confidential information stored in user profiles or accessible by administrators could be exposed, increasing the risk of targeted phishing or social engineering against staff. Availability could be impacted if administrative actions remove or alter critical content or configurations.

If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.


Recommended Actions

  • Update the affected plugin as soon as a patched version is available (the CVE entry does not specify a fixed version).
  • Review and reduce unnecessary user roles and capabilities, especially for contributors and subscribers.
  • Enforce strong passwords and two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins and limit plugin installation privileges to trusted administrators.
  • Monitor site activity and audit logs for unusual behavior, such as unexpected role changes or new administrator accounts.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.


References