Authentication Bypass and Privilege Escalation in Simple JWT Login Plugin for WordPress
CVE-2026-14262
8.8HIGH
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 11 July 2026
What is CVE-2026-14262?
The Simple JWT Login plugin for WordPress, up to version 3.6.6, has a vulnerability that allows authenticated attackers to escalate their privileges. By exploiting the payload parameter at the /wp-json/simple-jwt-login/v1/auth endpoint, attackers with subscriber-level access can inject an administrator's email address into the JWT payload. Since the AuthenticateService::generatePayload() method fails to overwrite certain identity claims, these attackers can redeem the modified JWT at the /autologin endpoint. This leads to the attacker gaining a fully authenticated session as an administrator, which can have severe implications for site security.
Affected Version(s)
Simple JWT Login β Allows you to use JWT on REST endpoints. 0 <= 3.6.6