CVE-2025-14440

JAY Login & Register <= 2.4.01 - Authentication Bypass via Cookie

criticalReliance on Cookies without Validation and Integrity Checking
9.8
CVSS Score
9.8
CVSS Score
critical
Severity
2.5.01
Patched in
7d
Time to patch

Description

The JAY Login & Register plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.4.01. This is due to incorrect authentication checking in the 'jay_login_register_process_switch_back' function with the 'jay_login_register_process_switch_back' cookie value. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=2.4.01
PublishedDecember 12, 2025
Last updatedDecember 19, 2025
Affected pluginjay-login-register

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan: CVE-2025-14440 (JAY Login & Register) ## 1. Vulnerability Summary The **JAY Login & Register** plugin (up to version 2.4.01) contains a critical authentication bypass vulnerability within its "Switch Back" functionality. The plugin implements a function named `jay_logi…

Show full research plan

Exploitation Research Plan: CVE-2025-14440 (JAY Login & Register)

1. Vulnerability Summary

The JAY Login & Register plugin (up to version 2.4.01) contains a critical authentication bypass vulnerability within its "Switch Back" functionality. The plugin implements a function named jay_login_register_process_switch_back that processes a cookie named jay_login_register_process_switch_back. Due to a lack of integrity checking (such as a cryptographic signature or HMAC) and insufficient permission validation, an unauthenticated attacker can supply an arbitrary User ID in this cookie to be automatically logged in as that user.

2. Attack Vector Analysis

  • Endpoint: Any WordPress frontend or backend URL (the check likely runs on the init or plugins_loaded hook).
  • Vulnerable Parameter: jay_login_register_process_switch_back (Cookie).
  • Authentication Level: Unauthenticated.
  • Preconditions: The attacker must know the User ID of the target account (typically 1 for the initial administrator).
  • Mechanism: The plugin reads the User ID from the cookie and calls wp_set_auth_cookie() without verifying if the request originated from a legitimate "User Switching" session.

3. Code Flow (Inferred)

  1. Entry Point: The plugin likely registers the vulnerable function to a global hook:
    add_action('init', 'jay_login_register_process_switch_back');
  2. Cookie Retrieval: Inside jay_login_register_process_switch_back, the code checks for the existence of the cookie:
    $user_id = $_COOKIE['jay_login_register_process_switch_back'];
  3. Missing Validation: The code fails to verify a secret token or check if the current user was previously an administrator authorized to switch users.
  4. Sink: The code proceeds to log the user in:
    wp_set_current_user($user_id);
    wp_set_auth_cookie($user_id);
    // Likely followed by a redirect to wp-admin/
    

4. Nonce Acquisition Strategy

Based on the vulnerability description ("Reliance on Cookies without Validation"), this specific bypass occurs during the initial request processing via cookies.

  • Is a Nonce Required? No. Authentication bypasses involving wp_set_auth_cookie triggered by cookies typically occur before any nonce-protected actions are reached. The cookie is the bypass mechanism.
  • Verification: If the jay_login_register_process_switch_back function requires a nonce passed via GET/POST in addition to the cookie (unlikely for "switch back" logic), the researcher should check if the nonce is exposed via wp_localize_script in the login or registration pages.

5. Exploitation Strategy

The goal is to trick WordPress into issuing administrator session cookies by presenting the "Switch Back" cookie.

Step 1: Identify Target User ID

In most WordPress installations, the primary administrator is User ID 1.

Step 2: Craft the Bypass Request

Use the http_request tool to send a request to the WordPress index with the malicious cookie.

  • URL: http://localhost:8080/
  • Method: GET
  • Headers:
    • Cookie: jay_login_register_process_switch_back=1
  • Redirects: Follow redirects to capture the final landing page and the Set-Cookie headers.

Step 3: Capture Authentication Cookies

A successful response will include Set-Cookie headers for:

  • wordpress_logged_in_[hash]
  • wordpress_[hash]

6. Test Data Setup

  1. Install Plugin: Install JAY Login & Register version 2.4.01.
  2. Admin User: Ensure an administrator exists with User ID 1.
  3. Plugin State: The plugin must be active. No specific configuration of the "User Switching" feature is likely required if the vulnerability exists in the global init handler.

7. Expected Results

  • HTTP Response: The server should return a 302 Found redirecting to /wp-admin/ or the homepage.
  • Headers: The Set-Cookie header must contain new WordPress authentication tokens corresponding to the administrator (UID 1).
  • Access: Using the captured wordpress_logged_in_... cookie in subsequent requests should grant full administrative access.

8. Verification Steps

After performing the HTTP request, use WP-CLI to verify the results from the perspective of the server:

  1. Identify Auth Cookies: Use the captured cookies in a browser_navigate call to http://localhost:8080/wp-admin/.
  2. Confirm Identity: Run browser_eval("document.body.innerHTML") and check for the "Howdy, [Admin Name]" string.
  3. Database Check: Use wp user get 1 to confirm the account details match the session captured.

9. Alternative Approaches

If the simple User ID in the cookie fails:

  • Encoding: Try Base64 encoding the User ID: jay_login_register_process_switch_back=MQ==.
  • JSON Format: Try a JSON string: jay_login_register_process_switch_back={"id":1}.
  • Hook Timing: If the cookie is not processed on the homepage, try accessing wp-login.php or wp-admin/admin-ajax.php with the cookie set, as some plugins only load specific logic on those endpoints.
  • Cookie Name Variation: Check if the plugin uses a prefix for cookies based on the WordPress site hash (e.g., jay_login_register_process_switch_back_[hash]). This can be found by inspecting the plugin source code for the setcookie calls.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.