<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Simple JWT Login &lt;= 3.6.6 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/simple-jwt-login--3.6.6/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Sat, 11 Jul 2026 05:17:56 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/simple-jwt-login--3.6.6/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-14262: WordPress Simple JWT Login Plugin Authentication Bypass to Privilege Escalation</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14262-wordpress-jwt-login/</link><pubDate>Sat, 11 Jul 2026 05:17:56 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14262-wordpress-jwt-login/</guid><description>An authentication bypass vulnerability (CVE-2026-14262) exists in the WordPress Simple JWT Login plugin, affecting all versions up to and including 3.6.6, which allows authenticated attackers with subscriber-level access or higher to escalate privileges to Administrator by injecting crafted identity claims into the `payload` parameter of a JWT token.</description><content:encoded><![CDATA[<p>A critical authentication bypass and privilege escalation vulnerability, tracked as CVE-2026-14262, has been identified in the Simple JWT Login plugin for WordPress, affecting all versions up to and including 3.6.6. This flaw allows authenticated attackers, possessing only subscriber-level access, to escalate their privileges to that of an Administrator on the affected WordPress site. The vulnerability stems from the plugin's <code>AuthenticateService::generatePayload()</code> function, which incompletely processes JWT tokens by failing to overwrite attacker-supplied identity claims such as <code>email</code>, <code>id</code>, or <code>username</code> within the <code>payload</code> parameter. This oversight results in these malicious claims being signed into the JWT using the site's HS256 secret. Attackers can leverage this by sending a crafted request to the <code>/wp-json/simple-jwt-login/v1/auth</code> endpoint, injecting an administrator's email, and then redeeming the resulting JWT at the <code>/autologin</code> endpoint to gain a full administrator session.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An authenticated attacker with subscriber-level (or higher) privileges crafts an HTTP POST request.</li>
<li>The target for this request is the <code>/wp-json/simple-jwt-login/v1/auth</code> API endpoint on the vulnerable WordPress site.</li>
<li>The attacker includes a <code>payload</code> parameter in the request, containing a JSON object with identity claims (e.g., <code>email</code>, <code>id</code>, or <code>username</code>) that correspond to a desired administrator account.</li>
<li>The plugin's <code>AuthenticateService::generatePayload()</code> function processes the request, but due to the vulnerability, it fails to overwrite these attacker-supplied identity claims within the JWT's payload, even though it signs the token with the site's HS256 secret.</li>
<li>The attacker receives the maliciously crafted and signed JWT in the HTTP response.</li>
<li>The attacker then presents this manipulated JWT to the vulnerable <code>/autologin</code> endpoint.</li>
<li>The <code>/autologin</code> endpoint validates the JWT's signature (which is legitimate due to the HS256 secret) and processes the administrator identity claims contained within the payload.</li>
<li>The attacker is granted a fully authenticated session with administrator privileges on the WordPress site.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-14262 grants an attacker full administrator control over the affected WordPress site. This level of access allows for complete compromise of the website, including the ability to install and remove plugins, modify themes, create and delete users, publish and delete content, and potentially inject malicious code, leading to defacement, data theft, or further compromise of the hosting server. The vulnerability has a CVSS v3.1 Base Score of 8.8, indicating high severity and significant impact on confidentiality, integrity, and availability.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-14262 immediately by updating the Simple JWT Login plugin to a version greater than 3.6.6.</li>
<li>Deploy the provided Sigma rule to your SIEM solution to detect attempted exploitation of CVE-2026-14262.</li>
<li>Monitor web server logs for suspicious POST requests to the <code>/wp-json/simple-jwt-login/v1/auth</code> and <code>/autologin</code> endpoints, specifically looking for unusual <code>payload</code> parameter content.</li>
<li>Implement a Web Application Firewall (WAF) to inspect and potentially block requests targeting <code>/wp-json/simple-jwt-login/v1/auth</code> with <code>cs-uri-query</code> parameters containing sensitive identity claims like <code>email=</code>, <code>id=</code>, or <code>username=</code>.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>wordpress</category><category>plugin</category><category>authentication-bypass</category><category>privilege-escalation</category><category>web</category></item></channel></rss>