{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/simple-jwt-login/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-14262"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Simple JWT Login \u003c= 3.6.6"],"_cs_severities":["critical"],"_cs_tags":["wordpress","plugin","authentication-bypass","privilege-escalation","web"],"_cs_type":"advisory","_cs_vendors":["Simple JWT Login"],"content_html":"\u003cp\u003eA critical authentication bypass and privilege escalation vulnerability, tracked as CVE-2026-14262, has been identified in the Simple JWT Login plugin for WordPress, affecting all versions up to and including 3.6.6. This flaw allows authenticated attackers, possessing only subscriber-level access, to escalate their privileges to that of an Administrator on the affected WordPress site. The vulnerability stems from the plugin's \u003ccode\u003eAuthenticateService::generatePayload()\u003c/code\u003e function, which incompletely processes JWT tokens by failing to overwrite attacker-supplied identity claims such as \u003ccode\u003eemail\u003c/code\u003e, \u003ccode\u003eid\u003c/code\u003e, or \u003ccode\u003eusername\u003c/code\u003e within the \u003ccode\u003epayload\u003c/code\u003e parameter. This oversight results in these malicious claims being signed into the JWT using the site's HS256 secret. Attackers can leverage this by sending a crafted request to the \u003ccode\u003e/wp-json/simple-jwt-login/v1/auth\u003c/code\u003e endpoint, injecting an administrator's email, and then redeeming the resulting JWT at the \u003ccode\u003e/autologin\u003c/code\u003e endpoint to gain a full administrator session.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated attacker with subscriber-level (or higher) privileges crafts an HTTP POST request.\u003c/li\u003e\n\u003cli\u003eThe target for this request is the \u003ccode\u003e/wp-json/simple-jwt-login/v1/auth\u003c/code\u003e API endpoint on the vulnerable WordPress site.\u003c/li\u003e\n\u003cli\u003eThe attacker includes a \u003ccode\u003epayload\u003c/code\u003e parameter in the request, containing a JSON object with identity claims (e.g., \u003ccode\u003eemail\u003c/code\u003e, \u003ccode\u003eid\u003c/code\u003e, or \u003ccode\u003eusername\u003c/code\u003e) that correspond to a desired administrator account.\u003c/li\u003e\n\u003cli\u003eThe plugin's \u003ccode\u003eAuthenticateService::generatePayload()\u003c/code\u003e function processes the request, but due to the vulnerability, it fails to overwrite these attacker-supplied identity claims within the JWT's payload, even though it signs the token with the site's HS256 secret.\u003c/li\u003e\n\u003cli\u003eThe attacker receives the maliciously crafted and signed JWT in the HTTP response.\u003c/li\u003e\n\u003cli\u003eThe attacker then presents this manipulated JWT to the vulnerable \u003ccode\u003e/autologin\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e/autologin\u003c/code\u003e endpoint validates the JWT's signature (which is legitimate due to the HS256 secret) and processes the administrator identity claims contained within the payload.\u003c/li\u003e\n\u003cli\u003eThe attacker is granted a fully authenticated session with administrator privileges on the WordPress site.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-14262 grants an attacker full administrator control over the affected WordPress site. This level of access allows for complete compromise of the website, including the ability to install and remove plugins, modify themes, create and delete users, publish and delete content, and potentially inject malicious code, leading to defacement, data theft, or further compromise of the hosting server. The vulnerability has a CVSS v3.1 Base Score of 8.8, indicating high severity and significant impact on confidentiality, integrity, and availability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-14262 immediately by updating the Simple JWT Login plugin to a version greater than 3.6.6.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM solution to detect attempted exploitation of CVE-2026-14262.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to the \u003ccode\u003e/wp-json/simple-jwt-login/v1/auth\u003c/code\u003e and \u003ccode\u003e/autologin\u003c/code\u003e endpoints, specifically looking for unusual \u003ccode\u003epayload\u003c/code\u003e parameter content.\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) to inspect and potentially block requests targeting \u003ccode\u003e/wp-json/simple-jwt-login/v1/auth\u003c/code\u003e with \u003ccode\u003ecs-uri-query\u003c/code\u003e parameters containing sensitive identity claims like \u003ccode\u003eemail=\u003c/code\u003e, \u003ccode\u003eid=\u003c/code\u003e, or \u003ccode\u003eusername=\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-11T05:17:56Z","date_published":"2026-07-11T05:17:56Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14262-wordpress-jwt-login/","summary":"An authentication bypass vulnerability (CVE-2026-14262) exists in the WordPress Simple JWT Login plugin, affecting all versions up to and including 3.6.6, which allows authenticated attackers with subscriber-level access or higher to escalate privileges to Administrator by injecting crafted identity claims into the `payload` parameter of a JWT token.","title":"CVE-2026-14262: WordPress Simple JWT Login Plugin Authentication Bypass to Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14262-wordpress-jwt-login/"}],"language":"en","title":"CraftedSignal Threat Feed - Simple JWT Login","version":"https://jsonfeed.org/version/1.1"}