CVE-2025-14440CRITICAL 9.8EPSS p48.0%

CVE-2025-14440CVE-2025-14440

Description

The JAY Login & Register plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.4.01. This is due to incorrect authentication checking in the 'jay_login_register_process_switch_back' function with the 'jay_login_register_process_switch_back' cookie value. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.69% probability of exploitation · percentile 48.0% · 2026-06-19T12:03:05Z
Published2025-12-13
Last modified2026-04-15

Underlying weaknesses· 1

CWE-565

References

  1. https://plugins.trac.wordpress.org/browser/jay-login-register/tags/2.4.01/includes/jay-login-register-user-switching.php#L98
  2. https://plugins.trac.wordpress.org/changeset/3418754/
  3. https://www.wordfence.com/threat-intel/vulnerabilities/id/928877a6-eeeb-4ed5-900b-9b1560e1bf87?source=cve

1

TypeTargetConfidenceTier
WeaknessReliance on Cookies without Validation and Integrity Checkingcwe-5650%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-15027
CVE
CVE-2025-15100
CVE
CVE-2025-2594
CVE
CVE-2025-10484
CVE
CVE-2025-7444
CVE
CVE-2025-14975
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.