CVE-2025-12822 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the WP Login and Register using JWT plugin for WordPress, developed by cyberlord92. The flaw exists in all versions up to and including 3.0.0, where the function 'mo_jwt_generate_new_api_key' lacks proper capability checks. This omission allows any authenticated user with at least Subscriber-level access to generate a new API key on sites that do not already have an API key configured. The generated API key can then be used to access restricted endpoints that normally require higher privileges, effectively bypassing intended access controls. The vulnerability is remotely exploitable without user interaction and requires only low privileges, making it easier for attackers to leverage. The CVSS 3.1 base score is 4.3, reflecting a medium severity primarily due to the confidentiality impact, as the vulnerability does not affect integrity or availability. No patches or known exploits are currently available, but the risk remains significant for sites using this plugin without proper configuration or additional access restrictions.

For European organizations, this vulnerability poses a risk of unauthorized data exposure on WordPress sites using the affected plugin. Attackers with minimal privileges can escalate access by generating API keys, potentially accessing sensitive or restricted information. This can lead to data leaks, privacy violations, and compliance issues under regulations such as GDPR. Although the vulnerability does not directly impact system integrity or availability, unauthorized access to restricted endpoints can undermine trust and lead to reputational damage. Organizations relying on WordPress for customer-facing or internal portals are particularly vulnerable. The ease of exploitation and the widespread use of WordPress in Europe increase the likelihood of targeted attacks, especially in sectors with sensitive data such as finance, healthcare, and government services.

1. Immediately review and restrict Subscriber-level user accounts to only trusted individuals, minimizing the attack surface. 2. Disable or remove the WP Login and Register using JWT plugin if it is not essential, or replace it with a more secure alternative. 3. If the plugin must be used, implement strict monitoring and logging of API key generation events to detect unauthorized activity. 4. Apply custom capability checks or patches to enforce authorization on the 'mo_jwt_generate_new_api_key' function until an official patch is released. 5. Restrict access to the WordPress admin dashboard and API endpoints via IP whitelisting or VPNs where feasible. 6. Conduct regular audits of API keys and revoke any suspicious or unused keys promptly. 7. Educate site administrators about the risks of low-privilege accounts and enforce strong role-based access controls. 8. Stay updated with vendor announcements for patches and apply them as soon as they become available.