CVE-2025-14440: CWE-565 Reliance on Cookies without Validation and Integrity Checking in jayarsiech JAY Login & Register
The JAY Login & Register plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.4.01. This is due to incorrect authentication checking in the 'jay_login_register_process_switch_back' function with the 'jay_login_register_process_switch_back' cookie value. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id.
AI Analysis
Technical Summary
CVE-2025-14440 affects the JAY Login & Register plugin for WordPress, where the 'jay_login_register_process_switch_back' function improperly authenticates users based solely on the value of a cookie. This lack of validation allows attackers to bypass authentication controls and assume the identity of any user on the site if they know the user ID. The vulnerability is due to reliance on cookies without validation or integrity checks (CWE-565). It impacts versions up to and including 2.4.01. The CVSS 3.1 base score is 9.8, reflecting critical impact on confidentiality, integrity, and availability.
Potential Impact
An attacker can gain unauthorized access to any user account on the affected WordPress site, including administrative accounts, leading to full compromise of the site. This includes complete control over site content, user data, and administrative functions. The vulnerability does not require any privileges or user interaction and can be exploited remotely over the network.
Mitigation Recommendations
No official patch or fix is currently available as per the provided data. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is released, it is recommended to disable or remove the JAY Login & Register plugin to prevent exploitation. Monitor vendor channels for updates and apply any official patches promptly once available.
CVE-2025-14440: CWE-565 Reliance on Cookies without Validation and Integrity Checking in jayarsiech JAY Login & Register
Description
The JAY Login & Register plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.4.01. This is due to incorrect authentication checking in the 'jay_login_register_process_switch_back' function with the 'jay_login_register_process_switch_back' cookie value. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-14440 affects the JAY Login & Register plugin for WordPress, where the 'jay_login_register_process_switch_back' function improperly authenticates users based solely on the value of a cookie. This lack of validation allows attackers to bypass authentication controls and assume the identity of any user on the site if they know the user ID. The vulnerability is due to reliance on cookies without validation or integrity checks (CWE-565). It impacts versions up to and including 2.4.01. The CVSS 3.1 base score is 9.8, reflecting critical impact on confidentiality, integrity, and availability.
Potential Impact
An attacker can gain unauthorized access to any user account on the affected WordPress site, including administrative accounts, leading to full compromise of the site. This includes complete control over site content, user data, and administrative functions. The vulnerability does not require any privileges or user interaction and can be exploited remotely over the network.
Mitigation Recommendations
No official patch or fix is currently available as per the provided data. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is released, it is recommended to disable or remove the JAY Login & Register plugin to prevent exploitation. Monitor vendor channels for updates and apply any official patches promptly once available.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-12-10T12:22:08.723Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 693cef65d977419e584a508b
Added to database: 12/13/2025, 4:45:25 AM
Last enriched: 4/9/2026, 4:49:01 PM
Last updated: 5/8/2026, 2:22:22 PM
Views: 262
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.