Skip to content
Threat Feed
critical advisory

CVE-2026-14262: WordPress Simple JWT Login Plugin Authentication Bypass to Privilege Escalation

An authentication bypass vulnerability (CVE-2026-14262) exists in the WordPress Simple JWT Login plugin, affecting all versions up to and including 3.6.6, which allows authenticated attackers with subscriber-level access or higher to escalate privileges to Administrator by injecting crafted identity claims into the `payload` parameter of a JWT token.

A critical authentication bypass and privilege escalation vulnerability, tracked as CVE-2026-14262, has been identified in the Simple JWT Login plugin for WordPress, affecting all versions up to and including 3.6.6. This flaw allows authenticated attackers, possessing only subscriber-level access, to escalate their privileges to that of an Administrator on the affected WordPress site. The vulnerability stems from the plugin's AuthenticateService::generatePayload() function, which incompletely processes JWT tokens by failing to overwrite attacker-supplied identity claims such as email, id, or username within the payload parameter. This oversight results in these malicious claims being signed into the JWT using the site's HS256 secret. Attackers can leverage this by sending a crafted request to the /wp-json/simple-jwt-login/v1/auth endpoint, injecting an administrator's email, and then redeeming the resulting JWT at the /autologin endpoint to gain a full administrator session.

Attack Chain

  1. An authenticated attacker with subscriber-level (or higher) privileges crafts an HTTP POST request.
  2. The target for this request is the /wp-json/simple-jwt-login/v1/auth API endpoint on the vulnerable WordPress site.
  3. The attacker includes a payload parameter in the request, containing a JSON object with identity claims (e.g., email, id, or username) that correspond to a desired administrator account.
  4. The plugin's AuthenticateService::generatePayload() function processes the request, but due to the vulnerability, it fails to overwrite these attacker-supplied identity claims within the JWT's payload, even though it signs the token with the site's HS256 secret.
  5. The attacker receives the maliciously crafted and signed JWT in the HTTP response.
  6. The attacker then presents this manipulated JWT to the vulnerable /autologin endpoint.
  7. The /autologin endpoint validates the JWT's signature (which is legitimate due to the HS256 secret) and processes the administrator identity claims contained within the payload.
  8. The attacker is granted a fully authenticated session with administrator privileges on the WordPress site.

Impact

Successful exploitation of CVE-2026-14262 grants an attacker full administrator control over the affected WordPress site. This level of access allows for complete compromise of the website, including the ability to install and remove plugins, modify themes, create and delete users, publish and delete content, and potentially inject malicious code, leading to defacement, data theft, or further compromise of the hosting server. The vulnerability has a CVSS v3.1 Base Score of 8.8, indicating high severity and significant impact on confidentiality, integrity, and availability.

Recommendation

  • Patch CVE-2026-14262 immediately by updating the Simple JWT Login plugin to a version greater than 3.6.6.
  • Deploy the provided Sigma rule to your SIEM solution to detect attempted exploitation of CVE-2026-14262.
  • Monitor web server logs for suspicious POST requests to the /wp-json/simple-jwt-login/v1/auth and /autologin endpoints, specifically looking for unusual payload parameter content.
  • Implement a Web Application Firewall (WAF) to inspect and potentially block requests targeting /wp-json/simple-jwt-login/v1/auth with cs-uri-query parameters containing sensitive identity claims like email=, id=, or username=.

Detection coverage 1

Detects CVE-2026-14262 Exploitation - Simple JWT Login Admin Impersonation Attempt

high

Detects exploitation attempts for CVE-2026-14262, an authentication bypass vulnerability in the WordPress Simple JWT Login plugin, where attackers inject administrator identity claims into the JWT payload parameter via a POST request to the /wp-json/simple-jwt-login/v1/auth endpoint.

sigma tactics: privilege_escalation techniques: T1068 sources: webserver

Detection queries are available on the platform. Get full rules →