Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
2 vulnerabilities by nicu_m
CVE-2026-14262 (GCVE-0-2026-14262)
Vulnerability from nvd – Published: 2026-07-11 03:44 – Updated: 2026-07-11 03:44
VLAI
EPSS
VEX
Title
Simple JWT Login <= 3.6.6 - Authenticated (Subscriber+) Authentication Bypass to Privilege Escalation via 'payload' Parameter
Summary
The Simple JWT Login – Allows you to use JWT on REST endpoints. plugin for WordPress is vulnerable to Authentication Bypass to Privilege Escalation in all versions up to, and including, 3.6.6 via the `payload` parameter. The vulnerability exists because `AuthenticateService::generatePayload()` only overwrites JWT payload keys whose names appear in the admin-configured `jwt_payload` list — leaving any attacker-supplied identity claims such as `email`, `id`, or `username` intact and signed into the JWT with the site's HS256 secret. This makes it possible for authenticated attackers, with subscriber-level access and above, to escalate their privileges to that of an Administrator by injecting a target administrator's email address into the `payload` parameter at the `/wp-json/simple-jwt-login/v1/auth` endpoint, then redeeming the resulting JWT at the `/autologin` endpoint to obtain a fully authenticated session as that administrator.
Severity
8.8 (High)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| nicu_m | Simple JWT Login – Allows you to use JWT on REST endpoints. |
Affected:
0 , ≤ 3.6.6
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Simple JWT Login \u2013 Allows you to use JWT on REST endpoints.",
"vendor": "nicu_m",
"versions": [
{
"lessThanOrEqual": "3.6.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Navapon Premkasem (71C4)"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Simple JWT Login \u2013 Allows you to use JWT on REST endpoints. plugin for WordPress is vulnerable to Authentication Bypass to Privilege Escalation in all versions up to, and including, 3.6.6 via the `payload` parameter. The vulnerability exists because `AuthenticateService::generatePayload()` only overwrites JWT payload keys whose names appear in the admin-configured `jwt_payload` list \u2014 leaving any attacker-supplied identity claims such as `email`, `id`, or `username` intact and signed into the JWT with the site\u0027s HS256 secret. This makes it possible for authenticated attackers, with subscriber-level access and above, to escalate their privileges to that of an Administrator by injecting a target administrator\u0027s email address into the `payload` parameter at the `/wp-json/simple-jwt-login/v1/auth` endpoint, then redeeming the resulting JWT at the `/autologin` endpoint to obtain a fully authenticated session as that administrator."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-11T03:44:25.497Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cd97a7a4-9f57-4882-9e3e-0e9853416af9?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simple-jwt-login/tags/3.6.6/src/Services/AuthenticateService.php#L34"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simple-jwt-login/tags/3.6.6/src/Services/AuthenticateService.php#L163"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simple-jwt-login/tags/3.6.6/src/Services/LoginService.php#L62"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simple-jwt-login/tags/3.6.6/src/Services/BaseService.php#L269"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?reponame=\u0026old=3597277%40simple-jwt-login\u0026new=3597277%40simple-jwt-login"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-10T15:02:36.000Z",
"value": "Disclosed"
}
],
"title": "Simple JWT Login \u003c= 3.6.6 - Authenticated (Subscriber+) Authentication Bypass to Privilege Escalation via \u0027payload\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-14262",
"datePublished": "2026-07-11T03:44:25.497Z",
"dateReserved": "2026-06-30T17:21:39.776Z",
"dateUpdated": "2026-07-11T03:44:25.497Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-14262 (GCVE-0-2026-14262)
Vulnerability from cvelistv5 – Published: 2026-07-11 03:44 – Updated: 2026-07-11 03:44
VLAI
EPSS
VEX
Title
Simple JWT Login <= 3.6.6 - Authenticated (Subscriber+) Authentication Bypass to Privilege Escalation via 'payload' Parameter
Summary
The Simple JWT Login – Allows you to use JWT on REST endpoints. plugin for WordPress is vulnerable to Authentication Bypass to Privilege Escalation in all versions up to, and including, 3.6.6 via the `payload` parameter. The vulnerability exists because `AuthenticateService::generatePayload()` only overwrites JWT payload keys whose names appear in the admin-configured `jwt_payload` list — leaving any attacker-supplied identity claims such as `email`, `id`, or `username` intact and signed into the JWT with the site's HS256 secret. This makes it possible for authenticated attackers, with subscriber-level access and above, to escalate their privileges to that of an Administrator by injecting a target administrator's email address into the `payload` parameter at the `/wp-json/simple-jwt-login/v1/auth` endpoint, then redeeming the resulting JWT at the `/autologin` endpoint to obtain a fully authenticated session as that administrator.
Severity
8.8 (High)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| nicu_m | Simple JWT Login – Allows you to use JWT on REST endpoints. |
Affected:
0 , ≤ 3.6.6
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Simple JWT Login \u2013 Allows you to use JWT on REST endpoints.",
"vendor": "nicu_m",
"versions": [
{
"lessThanOrEqual": "3.6.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Navapon Premkasem (71C4)"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Simple JWT Login \u2013 Allows you to use JWT on REST endpoints. plugin for WordPress is vulnerable to Authentication Bypass to Privilege Escalation in all versions up to, and including, 3.6.6 via the `payload` parameter. The vulnerability exists because `AuthenticateService::generatePayload()` only overwrites JWT payload keys whose names appear in the admin-configured `jwt_payload` list \u2014 leaving any attacker-supplied identity claims such as `email`, `id`, or `username` intact and signed into the JWT with the site\u0027s HS256 secret. This makes it possible for authenticated attackers, with subscriber-level access and above, to escalate their privileges to that of an Administrator by injecting a target administrator\u0027s email address into the `payload` parameter at the `/wp-json/simple-jwt-login/v1/auth` endpoint, then redeeming the resulting JWT at the `/autologin` endpoint to obtain a fully authenticated session as that administrator."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-11T03:44:25.497Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cd97a7a4-9f57-4882-9e3e-0e9853416af9?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simple-jwt-login/tags/3.6.6/src/Services/AuthenticateService.php#L34"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simple-jwt-login/tags/3.6.6/src/Services/AuthenticateService.php#L163"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simple-jwt-login/tags/3.6.6/src/Services/LoginService.php#L62"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simple-jwt-login/tags/3.6.6/src/Services/BaseService.php#L269"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?reponame=\u0026old=3597277%40simple-jwt-login\u0026new=3597277%40simple-jwt-login"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-10T15:02:36.000Z",
"value": "Disclosed"
}
],
"title": "Simple JWT Login \u003c= 3.6.6 - Authenticated (Subscriber+) Authentication Bypass to Privilege Escalation via \u0027payload\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-14262",
"datePublished": "2026-07-11T03:44:25.497Z",
"dateReserved": "2026-06-30T17:21:39.776Z",
"dateUpdated": "2026-07-11T03:44:25.497Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}