CVE-2025-14440

Critical

Published: 13 December 2025

Published

13 December 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0014 34.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

The JAY Login & Register plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.4.01. This is due to incorrect authentication checking in the 'jay_login_register_process_switch_back' function with the 'jay_login_register_process_switch_back' cookie value. This makes it possible…

for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely patching of the authentication bypass flaw in the JAY Login & Register plugin directly eliminates the vulnerability allowing unauthenticated attackers to log in as any user.

SI-10 Information Input Validation good match

prevent

Validating the 'jay_login_register_process_switch_back' cookie value as untrusted input prevents attackers from bypassing authentication through manipulation.

AC-3 Access Enforcement good match

prevent

Enforcing approved access authorizations ensures proper authentication checks in functions like 'jay_login_register_process_switch_back' to block unauthorized logins.

Security SummaryAI

CVE-2025-14440 is an authentication bypass vulnerability in the JAY Login & Register plugin for WordPress, affecting versions up to and including 2.4.01. The flaw arises from incorrect authentication checking in the 'jay_login_register_process_switch_back' function, which improperly validates the 'jay_login_register_process_switch_back' cookie value. Published on 2025-12-13, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-565.

Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. If they have knowledge of a target user's ID, they can manipulate the specified cookie to log in as any existing user on the site, including administrators, gaining full access to their privileges.

Mitigation guidance is available through referenced advisories and patches, including the vulnerable code at https://plugins.trac.wordpress.org/browser/jay-login-register/tags/2.4.01/includes/jay-login-register-user-switching.php#L98, a plugin repository changeset at https://plugins.trac.wordpress.org/changeset/3418754/, and a Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/928877a6-eeeb-4ed5-900b-9b1560e1bf87?source=cve.

Details

CWE(s): CWE-565

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

This authentication bypass vulnerability in a WordPress plugin allows unauthenticated remote attackers to exploit a public-facing web application, impersonate any user including administrators, and achieve full site compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://plugins.trac.wordpress.org/browser/jay-login-register/tags/2.4.01/includes/jay-login-register-user-switching.php#L98
security@wordfence.com
https://plugins.trac.wordpress.org/changeset/3418754/
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/928877a6-eeeb-4ed5-900b-9b1560e1bf87?source=cve
security@wordfence.com