CVE-2025-12822: CWE-862 Missing Authorization in cyberlord92 WP Login and Register using JWT
The WP Login and Register using JWT plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'mo_jwt_generate_new_api_key' function in all versions up to, and including, 3.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to generate a new API key on site's that do not have an API key configured and subsequently use that to access restricted endpoints.
AI Analysis
Technical Summary
CVE-2025-12822 describes a missing authorization (CWE-862) vulnerability in the WP Login and Register using JWT plugin for WordPress. The issue exists because the 'mo_jwt_generate_new_api_key' function lacks a capability check, allowing authenticated users with low privileges (Subscriber-level and above) to generate a new API key on sites without an existing API key. This can lead to unauthorized access to restricted API endpoints. The vulnerability affects all versions up to and including 3.0.0. The CVSS 3.1 base score is 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N), reflecting network attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, and limited confidentiality impact.
Potential Impact
An attacker with Subscriber-level access can generate a new API key on vulnerable sites lacking an API key, enabling unauthorized access to restricted endpoints. This could lead to limited confidentiality breaches but does not affect integrity or availability. The impact is confined to sites using the affected plugin versions without an API key configured.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, site administrators should consider restricting Subscriber-level access or disabling the plugin if possible. Monitor for vendor updates regarding a patch or official mitigation.
CVE-2025-12822: CWE-862 Missing Authorization in cyberlord92 WP Login and Register using JWT
Description
The WP Login and Register using JWT plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'mo_jwt_generate_new_api_key' function in all versions up to, and including, 3.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to generate a new API key on site's that do not have an API key configured and subsequently use that to access restricted endpoints.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-12822 describes a missing authorization (CWE-862) vulnerability in the WP Login and Register using JWT plugin for WordPress. The issue exists because the 'mo_jwt_generate_new_api_key' function lacks a capability check, allowing authenticated users with low privileges (Subscriber-level and above) to generate a new API key on sites without an existing API key. This can lead to unauthorized access to restricted API endpoints. The vulnerability affects all versions up to and including 3.0.0. The CVSS 3.1 base score is 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N), reflecting network attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, and limited confidentiality impact.
Potential Impact
An attacker with Subscriber-level access can generate a new API key on vulnerable sites lacking an API key, enabling unauthorized access to restricted endpoints. This could lead to limited confidentiality breaches but does not affect integrity or availability. The impact is confined to sites using the affected plugin versions without an API key configured.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, site administrators should consider restricting Subscriber-level access or disabling the plugin if possible. Monitor for vendor updates regarding a patch or official mitigation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-11-06T18:44:15.837Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 691d6897a27e6d5e91bc16dd
Added to database: 11/19/2025, 6:49:59 AM
Last enriched: 4/9/2026, 4:20:56 PM
Last updated: 5/10/2026, 1:20:19 PM
Views: 145
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.