WordPress
Multiple Products
The FS Registration Password plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0...
2026-01-06
Description
The FS Registration Password plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.1. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
AI Analyst Comment
Remediation
Update The FS Registration Password plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
---METADATA---
VENDOR: WordPress
PRODUCT: JAY Login & Register Plugin
AFFECTED_VERSIONS: All versions up to, and including, 2
---END_METADATA---
Description Summary:
The JAY Login & Register plugin for WordPress is vulnerable to privilege escalation. All versions up to and including version 2 are affected by this flaw.
Executive Summary:
A critical privilege escalation vulnerability in the JAY Login & Register plugin for WordPress allows attackers to gain unauthorized elevated permissions.
Vulnerability Details
CVE-ID: CVE-2025-15100
Affected Software: JAY Login & Register Plugin (WordPress)
Affected Versions: All versions up to, and including, 2
Vulnerability: This vulnerability allows for privilege escalation within the WordPress environment. While the exact mechanism is not specified, it typically involves a failure in capability checks during the login or registration process, allowing a low-privileged user to gain administrative rights.
Business Impact
With a CVSS score of 8.8, this vulnerability is extremely serious. A successful exploit allows an attacker to gain full control over the WordPress site, leading to total data compromise, site defacement, and the ability to inject malicious code. For businesses, this translates to a high risk of data theft and significant reputational damage.
Remediation Plan
Immediate Action: Update the JAY Login & Register plugin to the latest patched version immediately. If no patch is available, deactivate and remove the plugin.
Proactive Monitoring: Review the WordPress user list for any unauthorized administrative accounts or unexpected changes in user roles.
Compensating Controls: Implement a Web Application Firewall (WAF) with rules specifically designed to block common WordPress privilege escalation patterns and unauthorized access to administrative functions.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of February 8, 2026, there is no public information indicating active exploitation of this vulnerability. However, privilege escalation flaws in WordPress plugins are frequently targeted by automated exploit kits.
Analyst Recommendation
The CVSS score of 8.8 indicates an urgent need for remediation. Administrators must treat this as a high-priority threat and update the affected plugin immediately. Failure to do so leaves the entire WordPress installation vulnerable to complete takeover by any registered user or attacker.