GHSA-4F4M-2QM7-575F
Vulnerability from github – Published: 2026-07-11 06:31 – Updated: 2026-07-11 06:31The Simple JWT Login – Allows you to use JWT on REST endpoints. plugin for WordPress is vulnerable to Authentication Bypass to Privilege Escalation in all versions up to, and including, 3.6.6 via the payload parameter. The vulnerability exists because AuthenticateService::generatePayload() only overwrites JWT payload keys whose names appear in the admin-configured jwt_payload list — leaving any attacker-supplied identity claims such as email, id, or username intact and signed into the JWT with the site's HS256 secret. This makes it possible for authenticated attackers, with subscriber-level access and above, to escalate their privileges to that of an Administrator by injecting a target administrator's email address into the payload parameter at the /wp-json/simple-jwt-login/v1/auth endpoint, then redeeming the resulting JWT at the /autologin endpoint to obtain a fully authenticated session as that administrator.
{
"affected": [],
"aliases": [
"CVE-2026-14262"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-11T05:16:32Z",
"severity": "HIGH"
},
"details": "The Simple JWT Login \u2013 Allows you to use JWT on REST endpoints. plugin for WordPress is vulnerable to Authentication Bypass to Privilege Escalation in all versions up to, and including, 3.6.6 via the `payload` parameter. The vulnerability exists because `AuthenticateService::generatePayload()` only overwrites JWT payload keys whose names appear in the admin-configured `jwt_payload` list \u2014 leaving any attacker-supplied identity claims such as `email`, `id`, or `username` intact and signed into the JWT with the site\u0027s HS256 secret. This makes it possible for authenticated attackers, with subscriber-level access and above, to escalate their privileges to that of an Administrator by injecting a target administrator\u0027s email address into the `payload` parameter at the `/wp-json/simple-jwt-login/v1/auth` endpoint, then redeeming the resulting JWT at the `/autologin` endpoint to obtain a fully authenticated session as that administrator.",
"id": "GHSA-4f4m-2qm7-575f",
"modified": "2026-07-11T06:31:16Z",
"published": "2026-07-11T06:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14262"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/simple-jwt-login/tags/3.6.6/src/Services/AuthenticateService.php#L163"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/simple-jwt-login/tags/3.6.6/src/Services/AuthenticateService.php#L34"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/simple-jwt-login/tags/3.6.6/src/Services/BaseService.php#L269"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/simple-jwt-login/tags/3.6.6/src/Services/LoginService.php#L62"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?reponame=\u0026old=3597277%40simple-jwt-login\u0026new=3597277%40simple-jwt-login"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cd97a7a4-9f57-4882-9e3e-0e9853416af9?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.