CVE-2026-14262: WordPress Simple JWT Login Plugin Authentication Bypass to Privilege Escalation
An authentication bypass vulnerability (CVE-2026-14262) exists in the WordPress Simple JWT Login plugin, affecting all versions up to and including 3.6.6, which allows authenticated attackers with subscriber-level access or higher to escalate privileges to Administrator by injecting crafted identity claims into the `payload` parameter of a JWT token.
A critical authentication bypass and privilege escalation vulnerability, tracked as CVE-2026-14262, has been identified in the Simple JWT Login plugin for WordPress, affecting all versions up to and including 3.6.6. This flaw allows authenticated attackers, possessing only subscriber-level access, to escalate their privileges to that of an Administrator on the affected WordPress site. The vulnerability stems from the plugin's AuthenticateService::generatePayload() function, which incompletely processes JWT tokens by failing to overwrite attacker-supplied identity claims such as email, id, or username within the payload parameter. This oversight results in these malicious claims being signed into the JWT using the site's HS256 secret. Attackers can leverage this by sending a crafted request to the /wp-json/simple-jwt-login/v1/auth endpoint, injecting an administrator's email, and then redeeming the resulting JWT at the /autologin endpoint to gain a full administrator session.
Attack Chain
- An authenticated attacker with subscriber-level (or higher) privileges crafts an HTTP POST request.
- The target for this request is the
/wp-json/simple-jwt-login/v1/authAPI endpoint on the vulnerable WordPress site. - The attacker includes a
payloadparameter in the request, containing a JSON object with identity claims (e.g.,email,id, orusername) that correspond to a desired administrator account. - The plugin's
AuthenticateService::generatePayload()function processes the request, but due to the vulnerability, it fails to overwrite these attacker-supplied identity claims within the JWT's payload, even though it signs the token with the site's HS256 secret. - The attacker receives the maliciously crafted and signed JWT in the HTTP response.
- The attacker then presents this manipulated JWT to the vulnerable
/autologinendpoint. - The
/autologinendpoint validates the JWT's signature (which is legitimate due to the HS256 secret) and processes the administrator identity claims contained within the payload. - The attacker is granted a fully authenticated session with administrator privileges on the WordPress site.
Impact
Successful exploitation of CVE-2026-14262 grants an attacker full administrator control over the affected WordPress site. This level of access allows for complete compromise of the website, including the ability to install and remove plugins, modify themes, create and delete users, publish and delete content, and potentially inject malicious code, leading to defacement, data theft, or further compromise of the hosting server. The vulnerability has a CVSS v3.1 Base Score of 8.8, indicating high severity and significant impact on confidentiality, integrity, and availability.
Recommendation
- Patch CVE-2026-14262 immediately by updating the Simple JWT Login plugin to a version greater than 3.6.6.
- Deploy the provided Sigma rule to your SIEM solution to detect attempted exploitation of CVE-2026-14262.
- Monitor web server logs for suspicious POST requests to the
/wp-json/simple-jwt-login/v1/authand/autologinendpoints, specifically looking for unusualpayloadparameter content. - Implement a Web Application Firewall (WAF) to inspect and potentially block requests targeting
/wp-json/simple-jwt-login/v1/authwithcs-uri-queryparameters containing sensitive identity claims likeemail=,id=, orusername=.
Detection coverage 1
Detects CVE-2026-14262 Exploitation - Simple JWT Login Admin Impersonation Attempt
highDetects exploitation attempts for CVE-2026-14262, an authentication bypass vulnerability in the WordPress Simple JWT Login plugin, where attackers inject administrator identity claims into the JWT payload parameter via a POST request to the /wp-json/simple-jwt-login/v1/auth endpoint.
Detection queries are available on the platform. Get full rules →