How to fix CVE-2025-14440?

Within 24 hours: Immediately disable the JAY Login & Register plugin on all WordPress installations. Within 7 days: Audit all user accounts and session logs for unauthorized access; reset administrator passwords and review admin activity logs; consider temporary rollback to an alternative authentication solution. Within 30 days: Either upgrade plugin to version >2.4.01 when vendor releases patched version, or migrate permanently to a patched alternative WordPress authentication plugin and remove JAY plugin entirely.

Is WordPress affected by CVE-2025-14440?

JAY Login & Register plugin for WordPress (versions ≤2.4.01) contains a critical authentication bypass vulnerability that allows unauthenticated attackers to impersonate any user, including administrators, using only publicly guessable user IDs.

CVE-2025-14440

CRITICAL

2025-12-13 [email protected]

9.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Apr 08, 2026 - 18:38 vuln.today

CVE Published

Dec 13, 2025 - 16:16 nvd

CRITICAL 9.8

Description

The JAY Login & Register plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.4.01. This is due to incorrect authentication checking in the 'jay_login_register_process_switch_back' function with the 'jay_login_register_process_switch_back' cookie value. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id.

Analysis

Authentication bypass in JAY Login & Register plugin for WordPress versions ≤2.4.01 allows unauthenticated remote attackers to impersonate any site user, including administrators, by exploiting flawed cookie validation in the user-switching function. Attackers require only knowledge of target user IDs to gain complete account access without credentials. No public exploit identified at time of analysis.

Technical Context

CWE-565 flaw in jay_login_register_process_switch_back function permits cookie manipulation to bypass authentication checks. The function improperly validates the jay_login_register_process_switch_back cookie value, enabling arbitrary user ID substitution. CVSS vector PR:N confirms unauthenticated attack surface with network accessibility and low complexity.

Affected Products

JAY Login & Register plugin for WordPress, versions 2.4.01 and earlier. CPE: cpe:2.3:a:jaylabssoft:jay_login_\&_register:*:*:*:*:*:wordpress:*:* (versions through 2.4.01). Vendor: JayLabsSoft.

Remediation

Vendor-released patch: version 2.4.02 addresses authentication bypass via Trac changeset 3418754, which corrects cookie validation logic in the user-switching mechanism (https://plugins.trac.wordpress.org/changeset/3418754/). Immediately upgrade to JAY Login & Register 2.4.02 or later through WordPress dashboard. For sites unable to patch immediately, deactivate the plugin entirely until upgrade is feasible, as no effective workaround exists for this critical authentication flaw. Audit user activity logs for suspicious login patterns or privilege escalations during vulnerable period. Full vendor advisory available at https://www.wordfence.com/threat-intel/vulnerabilities/id/928877a6-eeeb-4ed5-900b-9b1560e1bf87?source=cve confirming remediation details and scope.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +49

POC: 0

CVE-2025-14440 vulnerability details – vuln.today

Back

CVE-2025-14440

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-14440

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code