Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-15100

CVE-2025-15100: JAY Login & Register Privilege Escalation

CVE-2025-15100 is a privilege escalation vulnerability in the JAY Login & Register WordPress plugin, allowing authenticated attackers to gain administrator privileges. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-15100 Overview

CVE-2025-15100 is a privilege escalation vulnerability in the JAY Login & Register plugin for WordPress. The flaw affects all versions up to and including 2.6.03. The plugin's jay_panel_ajax_update_profile AJAX handler allows authenticated users to update arbitrary user meta fields. Attackers with Subscriber-level access or higher can modify the wp_capabilities meta key to grant themselves administrator privileges. The weakness is categorized under [CWE-269: Improper Privilege Management].

Critical Impact

Any authenticated WordPress user with Subscriber access can escalate to full administrator privileges, leading to complete site takeover.

Affected Products

  • JAY Login & Register plugin for WordPress — all versions through 2.6.03
  • WordPress sites running the affected plugin with open user registration
  • Membership and community sites relying on this plugin for authentication

Discovery Timeline

  • 2026-02-08 - CVE-2025-15100 published to NVD
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-15100

Vulnerability Analysis

The JAY Login & Register plugin exposes an AJAX endpoint named jay_panel_ajax_update_profile intended to let logged-in users edit their own profile information. The handler accepts user-supplied input but fails to restrict which user meta keys can be modified. Because WordPress stores role assignments inside the wp_capabilities user meta entry, any writable meta key becomes a vector for privilege escalation.

Authenticated attackers send a crafted AJAX request supplying wp_capabilities with the value administrator. The plugin writes this value directly into the user's meta table without validating the key against an allowlist or enforcing a capability check. After the update, the attacker holds full administrative rights on the WordPress site.

Root Cause

The root cause is missing authorization and missing input filtering in the profile update routine at includes/user-panel/jay-login-register-ajax-handler-user-panel.php around line 624. The function trusts caller-provided meta keys and values without validating that the requested meta key is part of an approved profile field set. Refer to the WordPress Plugin Source Code for the vulnerable code path.

Attack Vector

An attacker first obtains Subscriber-level credentials, typically through open registration on the target site. The attacker then issues an authenticated admin-ajax.php POST request invoking the vulnerable action. The request body contains key-value pairs that overwrite arbitrary user meta, including role-controlling fields. The exploit requires no user interaction and operates entirely over the network. Additional technical context is available in the Wordfence Vulnerability Report.

Detection Methods for CVE-2025-15100

Indicators of Compromise

  • POST requests to /wp-admin/admin-ajax.php with action=jay_panel_ajax_update_profile and parameters referencing wp_capabilities, wp_user_level, or other privileged meta keys
  • Unexpected promotion of low-privileged accounts to administrator role in the WordPress users table
  • New administrator accounts created shortly after profile update AJAX requests
  • Recently registered Subscriber accounts exhibiting administrative actions such as plugin or theme installation

Detection Strategies

  • Review the wp_usermeta table for unauthorized changes to the wp_capabilities key across non-admin accounts
  • Inspect web server access logs for jay_panel_ajax_update_profile requests originating from non-administrative sessions
  • Correlate user role changes with the source IP and session that performed the update

Monitoring Recommendations

  • Enable WordPress audit logging for role and capability modifications
  • Alert on any AJAX action referencing meta keys outside an approved profile field list
  • Monitor for spikes in new user registrations followed by privileged actions within short time windows

How to Mitigate CVE-2025-15100

Immediate Actions Required

  • Update the JAY Login & Register plugin to a patched release once published by the vendor
  • Audit all WordPress accounts and demote or remove any unauthorized administrators
  • Rotate credentials and application passwords for all administrative users
  • Disable open user registration if it is not required for site operations

Patch Information

No fixed version is identified in the public advisory at the time of writing. All versions up to and including 2.6.03 are vulnerable. Site operators should monitor the Wordfence Vulnerability Report and the WordPress plugin repository for an updated release that restricts which user meta keys can be modified via the AJAX handler.

Workarounds

  • Deactivate and remove the JAY Login & Register plugin until a fixed version is available
  • Restrict access to /wp-admin/admin-ajax.php for the jay_panel_ajax_update_profile action at the web application firewall (WAF) layer
  • Set users_can_register to false in WordPress settings to prevent attackers from obtaining the required Subscriber account
  • Apply least-privilege role assignments and review user roles regularly

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne