Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (Wordfence) · only source for this CVE.
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
The Simple JWT Login - Allows you to use JWT on REST endpoints. plugin for WordPress is vulnerable to Authentication Bypass to Privilege Escalation in all versions up to, and including, 3.6.6 via the payload parameter. The vulnerability exists because AuthenticateService::generatePayload() only overwrites JWT payload keys whose names appear in the admin-configured jwt_payload list - leaving any attacker-supplied identity claims such as email, id, or username intact and signed into the JWT with the site's HS256 secret. This makes it possible for authenticated attackers, with subscriber-level access and above, to escalate their privileges to that of an Administrator by injecting a target administrator's email address into the payload parameter at the /wp-json/simple-jwt-login/v1/auth endpoint, then redeeming the resulting JWT at the /autologin endpoint to obtain a fully authenticated session as that administrator.
Articles & Coverage 1
AnalysisAI
Privilege escalation in the Simple JWT Login WordPress plugin (all versions through 3.6.6) lets an authenticated subscriber-level user forge an Administrator session by injecting arbitrary identity claims into the JWT payload. Because AuthenticateService::generatePayload() only overwrites payload keys that appear in the admin-configured jwt_payload allowlist, attacker-supplied claims such as email, id, or username survive and are signed with the site's HS256 secret; the token is then redeemed at /autologin to log in as any administrator. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Recommended ActionAI
24 hours: Deactivate the Simple JWT Login plugin immediately, or block access to the /autologin endpoint via firewall rules if the plugin provides critical functionality. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43145
GHSA-4f4m-2qm7-575f