CVE-2025-14440
Published: 13 December 2025
Summary
CVE-2025-14440 is a critical-severity Reliance on Cookies without Validation and Integrity Checking (CWE-565) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely patching of the authentication bypass flaw in the JAY Login & Register plugin directly eliminates the vulnerability allowing unauthenticated attackers to log in as any user.
Validating the 'jay_login_register_process_switch_back' cookie value as untrusted input prevents attackers from bypassing authentication through manipulation.
Enforcing approved access authorizations ensures proper authentication checks in functions like 'jay_login_register_process_switch_back' to block unauthorized logins.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
This authentication bypass vulnerability in a WordPress plugin allows unauthenticated remote attackers to exploit a public-facing web application, impersonate any user including administrators, and achieve full site compromise.
NVD Description
The JAY Login & Register plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.4.01. This is due to incorrect authentication checking in the 'jay_login_register_process_switch_back' function with the 'jay_login_register_process_switch_back' cookie value. This makes it possible…
more
for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id.
Deeper analysisAI
CVE-2025-14440 is an authentication bypass vulnerability in the JAY Login & Register plugin for WordPress, affecting versions up to and including 2.4.01. The flaw arises from incorrect authentication checking in the 'jay_login_register_process_switch_back' function, which improperly validates the 'jay_login_register_process_switch_back' cookie value. Published on 2025-12-13, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-565.
Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. If they have knowledge of a target user's ID, they can manipulate the specified cookie to log in as any existing user on the site, including administrators, gaining full access to their privileges.
Mitigation guidance is available through referenced advisories and patches, including the vulnerable code at https://plugins.trac.wordpress.org/browser/jay-login-register/tags/2.4.01/includes/jay-login-register-user-switching.php#L98, a plugin repository changeset at https://plugins.trac.wordpress.org/changeset/3418754/, and a Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/928877a6-eeeb-4ed5-900b-9b1560e1bf87?source=cve.
Details
- CWE(s)