Security Alert Summary
The JAY Login & Register plugin for WordPress contains a privilege escalation vulnerability that allows unauthenticated users to update arbitrary user meta via an AJAX handler. According to the CVE entry, this can enable an attacker to elevate their account to administrator privileges.
CVE Details
- CVE ID: CVE-2025-15027
- Affected plugin or component: JAY Login & Register plugin for WordPress
- Affected versions: all versions up to, and including, 2.6.03
- Published: February 8, 2026 at 02:15:56 AM UTC
- Last modified: February 8, 2026 at 02:15:56 AM UTC
- CVSS v3.1: Base Score 9.8, Severity CRITICAL, Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - Authentication / Privileges / User interaction: Privileges Required: NONE; User Interaction: NONE; Attack Vector: NETWORK; Attack Complexity: LOW
- Primary impact: Confidentiality: HIGH; Integrity: HIGH; Availability: HIGH
- CWE / weakness: CWE-269
Technical Details
The vulnerability is caused by the plugin allowing updates to arbitrary user meta through its AJAX handler. The CVE description specifically names the function jay_login_register_ajax_create_final_user as the entry point that permits updating user meta without proper authorization checks. Because this path accepts and applies user meta changes from an unauthenticated request, an attacker can modify capability-related metadata and elevate their account to an administrator role.
This is a privilege escalation issue rooted in insufficient access control on user meta updates via the plugin’s AJAX functionality. The impact described in the CVE is elevation to administrator privileges for an unauthenticated attacker.
How This Could Impact Your Website
On a site with multiple users—such as a site owner, internal staff (editors or authors), and external contractors or contributors—an unauthenticated attacker exploiting this vulnerability could elevate a low-privilege or newly created account to administrator. With administrator privileges the attacker could access user data stored in the site (for example, profile fields and email addresses), modify content or settings, and manage plugins or themes.
Practical consequences include unauthorized access to sensitive user information and administrative functions, and an increased risk of targeted phishing or social engineering if email addresses are exposed. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available. (The CVE entry does not specify a fixed or patched version.)
- Review and reduce unnecessary user roles and privileges, especially for contributors and other low-trust accounts.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins and themes from your site.
- Monitor site activity and logs for unusual account creations, privilege changes, or administrative actions.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.