What the vulnerability does
01Description
The JAY Login & Register plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.6.03. This is due to the plugin allowing a user to update arbitrary user meta through the 'jay_login_register_ajax_create_final_user' function. This makes it possible for unauthenticated attackers to elevate their privileges to that of an administrator.
Explanation of Vulnerability in Simple Terms
02Summary
JAY Login & Register versions 2.6.03 and earlier contain a privilege management flaw that allows unauthenticated attackers to gain full control over the site without user interaction. The vulnerability affects all versions from release, and no patch is currently available. Site administrators should immediately disable or remove the plugin until an update is released.
What an attacker can do
03Attacker Capabilities
Read, modify, or delete any data on the site; create admin accounts; run their own code.
Potential impact on your site
04Site Impact
Complete compromise of the site and all user data; attacker can take full control without warning.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
February 8, 2026
CVE published
April 8, 2026
Record updated