CVE-2025-12822 is a vulnerability classified under CWE-862 (Missing Authorization) found in the WP Login and Register using JWT plugin for WordPress, developed by cyberlord92. The vulnerability stems from the absence of a capability check in the 'mo_jwt_generate_new_api_key' function, which is responsible for generating new API keys for JWT authentication. This flaw affects all plugin versions up to and including 3.0.0. An authenticated attacker with at least Subscriber-level privileges can exploit this vulnerability on sites that do not have an API key already configured. By generating a new API key, the attacker can gain unauthorized access to restricted API endpoints that rely on JWT authentication, potentially exposing sensitive data or functionality intended only for privileged users. The vulnerability does not require user interaction and can be exploited remotely over the network. The CVSS v3.1 base score is 4.3, reflecting a medium severity with low complexity and requiring low privileges but limited impact on confidentiality and no impact on integrity or availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability highlights the importance of proper authorization checks in API key management functions within WordPress plugins.

The primary impact of CVE-2025-12822 is unauthorized access to restricted API endpoints via illegitimate API key generation. Organizations using the affected plugin without an API key configured risk exposure of sensitive data accessible through these endpoints. While the attacker must have at least Subscriber-level access, this is a low privilege level commonly granted to registered users, increasing the attack surface. The vulnerability does not affect data integrity or availability but compromises confidentiality to some extent. For websites relying on JWT authentication for critical operations, this could lead to data leakage or unauthorized information disclosure. The impact is particularly significant for organizations that use this plugin in environments where subscriber accounts are easily created or compromised. Since no known exploits are in the wild, the risk is currently theoretical but could increase once exploit code becomes available. The vulnerability could undermine trust in the authentication mechanism and lead to compliance issues if sensitive data is exposed.

1. Immediately audit WordPress sites using the WP Login and Register using JWT plugin to determine if they are running affected versions (up to 3.0.0) and whether an API key is configured. 2. Restrict Subscriber-level user creation and monitor for suspicious account activity to reduce the risk of low-privilege attackers exploiting this flaw. 3. Implement strict role-based access control to limit the capabilities of Subscriber accounts, possibly disabling API key generation functions for these roles. 4. Monitor API key generation logs and API access logs for unusual activity indicative of unauthorized key creation or access. 5. If possible, disable the plugin temporarily or replace it with an alternative JWT authentication plugin that enforces proper authorization checks. 6. Stay alert for official patches or updates from the vendor and apply them promptly once released. 7. Consider implementing additional layers of API security such as IP whitelisting, rate limiting, and anomaly detection to mitigate potential abuse. 8. Educate site administrators about the risk and encourage regular security reviews of plugin configurations and user privileges.