CVE-2025-12822 identifies a missing authorization vulnerability (CWE-862) in the WP Login and Register using JWT plugin for WordPress, developed by cyberlord92. The vulnerability exists in all versions up to and including 3.0.0 due to the absence of a capability check in the 'mo_jwt_generate_new_api_key' function. This function is responsible for generating new API keys used to authenticate requests to protected endpoints. Because the plugin does not verify whether the requesting user has sufficient privileges before generating a new API key, any authenticated user with Subscriber-level access or higher can invoke this function to create an API key if the site has no pre-configured API key. This unauthorized API key can then be used to access restricted API endpoints that normally require higher privileges, potentially exposing sensitive data. The vulnerability does not require user interaction and can be exploited remotely over the network (AV:N). The attack complexity is low (AC:L), and only low privileges are required (PR:L). The vulnerability impacts confidentiality (C:L) but does not affect integrity or availability. No known public exploits or patches are currently available, though the issue has been officially published and reserved in the CVE database. This vulnerability highlights the risk of insufficient authorization checks in WordPress plugins that handle authentication tokens and API keys, which can lead to privilege escalation and data exposure.

For European organizations, this vulnerability poses a risk of unauthorized data exposure through the exploitation of API keys generated without proper authorization. Organizations using the affected plugin versions on WordPress sites that do not have API keys pre-configured are particularly vulnerable. Attackers with minimal authenticated access (Subscriber-level) can escalate their access to retrieve sensitive information from restricted endpoints, potentially leading to data breaches. This can affect customer data, internal information, or other sensitive content managed via the WordPress site. Although the vulnerability does not allow modification or deletion of data (no integrity or availability impact), the confidentiality breach can have regulatory implications under GDPR and damage organizational reputation. The risk is heightened in sectors with strict data protection requirements such as finance, healthcare, and government institutions. Additionally, the ease of exploitation and network accessibility make it a practical threat if left unmitigated.

1. Immediately audit WordPress sites using the WP Login and Register using JWT plugin to identify affected versions (all versions up to 3.0.0). 2. Monitor for official patches or updates from the plugin developer and apply them as soon as they are released. 3. If patches are not yet available, implement custom authorization checks by modifying the plugin code or using WordPress hooks to restrict the 'mo_jwt_generate_new_api_key' function to administrator roles only. 4. Ensure that API keys are pre-configured and not left unset, as the vulnerability only applies when no API key exists. 5. Review and restrict Subscriber-level user permissions to the minimum necessary, and consider disabling or removing unused user accounts. 6. Enable detailed logging and monitoring of API key generation events and access to restricted endpoints to detect suspicious activity. 7. Conduct regular security assessments and penetration testing focusing on authentication and authorization mechanisms within WordPress environments. 8. Educate site administrators about the risks of installing plugins without proper security reviews and encourage the use of well-maintained plugins.