CVE-2025-14440 — AI Deep Analysis Summary

🚨 **Essence**: Critical Auth Bypass in **JAY Login & Register** plugin. <br>💥 **Consequences**: Attackers can bypass login checks entirely. Full system compromise is possible.…

🛡️ **Root Cause**: Flawed authentication logic in `jay_login_register_process_switch_back` function. <br>🔍 **CWE**: **CWE-565** (Information Exposure Through User-Friendly Error Messages / Improper Authentication).…

📦 **Affected**: WordPress Plugin **JAY Login & Register**. <br>📉 **Version**: **2.4.01** and earlier. <br>🏢 **Vendor**: jayarsiech. If you use this plugin, you are vulnerable.

👑 **Privileges**: Attackers gain **unauthorized access**. <br>📂 **Data**: Full read/write access to user accounts. <br>🔓 **Impact**: High Confidentiality, Integrity, and Availability loss.…

⚡ **Threshold**: **LOW**. <br>🌐 **Network**: Attack Vector is **Network** (AV:N). <br>🔑 **Auth**: **None** required (PR:N). <br>👀 **UI**: **None** required (UI:N). Easy to exploit remotely.

💣 **Exploit**: **YES**. Public PoC exists. <br>🔗 **Link**: [GitHub PoC](https://github.com/Nxploited/CVE-2025-14440). <br>⚠️ **Method**: Exploits via **Cookie** manipulation. Wild exploitation is likely imminent.

🔍 **Check**: Scan for plugin **JAY Login & Register**. <br>📊 **Version**: Verify if version is **≤ 2.4.01**. <br>🛠️ **Tool**: Use WPScan or manual code review of `jay-login-register-user-switching.php` around line 98.

🩹 **Fix**: **YES**. Patch available. <br>🔗 **Source**: [WordPress Trac Changeset 3418754](https://plugins.trac.wordpress.org/changeset/3418754/). <br>✅ **Action**: Update plugin immediately to the latest version.

🚧 **No Patch?**: Disable the plugin immediately. <br>🔒 **Mitigation**: Remove `jay-login-register` folder. <br>📝 **Workaround**: If critical, implement strict cookie validation manually (not recommended).…

🔥 **Urgency**: **CRITICAL**. <br>🚨 **Priority**: **P0**. <br>⏱️ **Time**: Patch **NOW**. CVSS Score is **High** (9.8+ implied by vector). Do not wait.