Authentication Bypass and Privilege Escalation in Simple JWT Login Plugin for WordPress
CVE-2026-14262

8.8HIGH

What is CVE-2026-14262?

The Simple JWT Login plugin for WordPress, up to version 3.6.6, has a vulnerability that allows authenticated attackers to escalate their privileges. By exploiting the payload parameter at the /wp-json/simple-jwt-login/v1/auth endpoint, attackers with subscriber-level access can inject an administrator's email address into the JWT payload. Since the AuthenticateService::generatePayload() method fails to overwrite certain identity claims, these attackers can redeem the modified JWT at the /autologin endpoint. This leads to the attacker gaining a fully authenticated session as an administrator, which can have severe implications for site security.

Affected Version(s)

Simple JWT Login – Allows you to use JWT on REST endpoints. 0 <= 3.6.6

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Navapon Premkasem (71C4)
.