Description
The WP Login and Register using JWT plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'mo_jwt_generate_new_api_key' function in all versions up to, and including, 3.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to generate a new API key on site's that do not have an API key configured and subsequently use that to access restricted endpoints.
Published: 2025-11-19
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized API Key Generation and Restricted Endpoint Access
Action: Patch Plugin
AI Analysis

Impact

The WP Login and Register using JWT plugin for WordPress contains a missing capability check on the mo_jwt_generate_new_api_key function. Because the function does not verify that the caller has the required permission, any authenticated user with Subscriber level or higher can request a new API key even when no key is already configured. The generated key then grants the attacker access to protected API endpoints, exposing sensitive site data. This flaw maps to CWE‑862: Missing Authorization.

Affected Systems

The affected vendor is cyberlord92 and the product is the WP Login and Register using JWT plugin for WordPress. All released versions up to and including 3.0.0 are vulnerable. WordPress sites that have this plugin installed and have not yet upgraded beyond 3.0.0 should be considered affected.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate impact when the vulnerable action is performed. The EPSS score of less than 1% suggests that the probability of exploitation is currently low, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote; an attacker must first authenticate with the site, but once logged in as a Subscriber or higher, they can invoke the API key generation endpoint and subsequently use the key to call other authenticated endpoints. Although no public exploit is currently known, the ease of the operation and the requirement of only a valid authenticated session make this a threat that should be mitigated promptly.

Generated by OpenCVE AI on April 21, 2026 at 18:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Login and Register using JWT plugin to a version later than 3.0.0 that includes the authorization check for the key generation function.
  • If a newer version is not yet available, immediately revoke, disable, or delete any API keys that may have been generated while the plugin was vulnerable, and audit your logs for unauthorized key creation.
  • As a temporary protective measure, restrict the "wp-json/mo-jwt/generate" endpoint to admin‑level users only using a security plugin or .htaccess rules, or de‑activate the plugin if it is no longer required.
  • Monitor site logs and API traffic for unexpected key usage and block offending IP addresses with firewall rules or security plugin settings.

Generated by OpenCVE AI on April 21, 2026 at 18:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 21 Nov 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 19 Nov 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 19 Nov 2025 06:00:00 +0000

Type Values Removed Values Added
Description The WP Login and Register using JWT plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'mo_jwt_generate_new_api_key' function in all versions up to, and including, 3.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to generate a new API key on site's that do not have an API key configured and subsequently use that to access restricted endpoints.
Title WP Login and Register using JWT <= 3.0.0 - Missing Authorization to Authenticated (Subscriber+) API Key Exposure
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:10:14.150Z

Reserved: 2025-11-06T18:44:15.837Z

Link: CVE-2025-12822

cve-icon Vulnrichment

Updated: 2025-11-19T18:43:13.844Z

cve-icon NVD

Status : Deferred

Published: 2025-11-19T06:15:46.803

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12822

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T18:15:36Z

Weaknesses