CVE-2025-15100 HIGH

CVE-2025-15100: JAY Login & Register <= 2.6.03 - Authenticated (Subscriber+) Privilege Escalation via jay_panel_ajax_update_profile

Vendor Jayarsiech
Product JAY Login & Register
Weakness CWE-269
Published February 8, 2026
Last update April 8, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The JAY Login & Register plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.6.03. This is due to the plugin allowing a user to update arbitrary user meta through the 'jay_panel_ajax_update_profile' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator.

Explanation of Vulnerability in Simple Terms

02Summary

JAY Login & Register versions 2.6.03 and earlier contain a privilege management flaw that allows authenticated users with low privileges to gain unauthorized access to sensitive data and modify site content. An attacker with a standard user account can read confidential information, alter records, or disrupt site availability without requiring additional user interaction. Update to a version newer than 2.6.03 immediately.

What an attacker can do

03Attacker Capabilities

Read sensitive data, modify site content, and disrupt availability with a low-privilege user account.

Potential impact on your site

04Site Impact

Any registered user can access admin-level functions, read private data, and modify or delete content.

Conditions required to exploit

05Prerequisites

Attacker must have a valid low-privilege user account on the site.

Key dates

06Disclosure timeline

February 8, 2026 CVE published
April 8, 2026 Record updated