The JAY Login & Register plugin for WordPress includes a critical flaw that allows unauthenticated users to bypass authentication by manipulating a specific cookie. When an attacker sets the 'jay_login_register_process_switch_back' cookie to a valid user ID, the plugin fails to perform a proper authentication check and logs the attacker in as that user. The vulnerability can lead to full administrative access to the site, compromising confidentiality, integrity, and potentially availability if the attacker performs destructive actions. The weakness is classified as CWE‑565, reflecting a break in authentication and privilege escalation. The CVSS score of 9.8 indicates a severe threat, underscoring the need for urgent mitigation.

The affected product is the JAY Login & Register plugin from vendor jayarsiech. All releases up to and including version 2.4.01 are vulnerable. The issue exists in the WordPress environment where this plugin is deployed. No additional products or versions are listed as affected in the available data.

The exploit probability is low as shown by an EPSS score of less than 1%, yet the critical CVSS score and lack of mitigation options keep the risk high. The vulnerability is not listed in the CISA KEV catalog, indicating no publicly known exploits as of the last update. The likely attack vector is remote: an adversary can craft a request or use browser developer tools to set the vulnerable cookie and trigger the authentication bypass. No additional system access or configuration changes are required beyond possessing a valid user identifier, which motivates attackers to enumerate user IDs through other means.