JAY Login & Register <= 2.4.01 - Authentication Bypass via Cookie
Description
The JAY Login & Register plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.4.01. This is due to incorrect authentication checking in the 'jay_login_register_process_switch_back' function with the 'jay_login_register_process_switch_back' cookie value. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HTechnical Details
<=2.4.01Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2025-14440 (JAY Login & Register) ## 1. Vulnerability Summary The **JAY Login & Register** plugin (up to version 2.4.01) contains a critical authentication bypass vulnerability within its "Switch Back" functionality. The plugin implements a function named `jay_logi…
Show full research plan
Exploitation Research Plan: CVE-2025-14440 (JAY Login & Register)
1. Vulnerability Summary
The JAY Login & Register plugin (up to version 2.4.01) contains a critical authentication bypass vulnerability within its "Switch Back" functionality. The plugin implements a function named jay_login_register_process_switch_back that processes a cookie named jay_login_register_process_switch_back. Due to a lack of integrity checking (such as a cryptographic signature or HMAC) and insufficient permission validation, an unauthenticated attacker can supply an arbitrary User ID in this cookie to be automatically logged in as that user.
2. Attack Vector Analysis
- Endpoint: Any WordPress frontend or backend URL (the check likely runs on the
initorplugins_loadedhook). - Vulnerable Parameter:
jay_login_register_process_switch_back(Cookie). - Authentication Level: Unauthenticated.
- Preconditions: The attacker must know the User ID of the target account (typically
1for the initial administrator). - Mechanism: The plugin reads the User ID from the cookie and calls
wp_set_auth_cookie()without verifying if the request originated from a legitimate "User Switching" session.
3. Code Flow (Inferred)
- Entry Point: The plugin likely registers the vulnerable function to a global hook:
add_action('init', 'jay_login_register_process_switch_back'); - Cookie Retrieval: Inside
jay_login_register_process_switch_back, the code checks for the existence of the cookie:$user_id = $_COOKIE['jay_login_register_process_switch_back']; - Missing Validation: The code fails to verify a secret token or check if the current user was previously an administrator authorized to switch users.
- Sink: The code proceeds to log the user in:
wp_set_current_user($user_id); wp_set_auth_cookie($user_id); // Likely followed by a redirect to wp-admin/
4. Nonce Acquisition Strategy
Based on the vulnerability description ("Reliance on Cookies without Validation"), this specific bypass occurs during the initial request processing via cookies.
- Is a Nonce Required? No. Authentication bypasses involving
wp_set_auth_cookietriggered by cookies typically occur before any nonce-protected actions are reached. The cookie is the bypass mechanism. - Verification: If the
jay_login_register_process_switch_backfunction requires a nonce passed via GET/POST in addition to the cookie (unlikely for "switch back" logic), the researcher should check if the nonce is exposed viawp_localize_scriptin the login or registration pages.
5. Exploitation Strategy
The goal is to trick WordPress into issuing administrator session cookies by presenting the "Switch Back" cookie.
Step 1: Identify Target User ID
In most WordPress installations, the primary administrator is User ID 1.
Step 2: Craft the Bypass Request
Use the http_request tool to send a request to the WordPress index with the malicious cookie.
- URL:
http://localhost:8080/ - Method:
GET - Headers:
Cookie: jay_login_register_process_switch_back=1
- Redirects: Follow redirects to capture the final landing page and the
Set-Cookieheaders.
Step 3: Capture Authentication Cookies
A successful response will include Set-Cookie headers for:
wordpress_logged_in_[hash]wordpress_[hash]
6. Test Data Setup
- Install Plugin: Install JAY Login & Register version 2.4.01.
- Admin User: Ensure an administrator exists with User ID
1. - Plugin State: The plugin must be active. No specific configuration of the "User Switching" feature is likely required if the vulnerability exists in the global
inithandler.
7. Expected Results
- HTTP Response: The server should return a
302 Foundredirecting to/wp-admin/or the homepage. - Headers: The
Set-Cookieheader must contain new WordPress authentication tokens corresponding to the administrator (UID 1). - Access: Using the captured
wordpress_logged_in_...cookie in subsequent requests should grant full administrative access.
8. Verification Steps
After performing the HTTP request, use WP-CLI to verify the results from the perspective of the server:
- Identify Auth Cookies: Use the captured cookies in a
browser_navigatecall tohttp://localhost:8080/wp-admin/. - Confirm Identity: Run
browser_eval("document.body.innerHTML")and check for the "Howdy, [Admin Name]" string. - Database Check: Use
wp user get 1to confirm the account details match the session captured.
9. Alternative Approaches
If the simple User ID in the cookie fails:
- Encoding: Try Base64 encoding the User ID:
jay_login_register_process_switch_back=MQ==. - JSON Format: Try a JSON string:
jay_login_register_process_switch_back={"id":1}. - Hook Timing: If the cookie is not processed on the homepage, try accessing
wp-login.phporwp-admin/admin-ajax.phpwith the cookie set, as some plugins only load specific logic on those endpoints. - Cookie Name Variation: Check if the plugin uses a prefix for cookies based on the WordPress site hash (e.g.,
jay_login_register_process_switch_back_[hash]). This can be found by inspecting the plugin source code for thesetcookiecalls.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.