The JAY Login & Register plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.4.01. This is due to incorrect authentication checking in the 'jay_login_register_process_switch_back' function with the 'jay_login_register_process_switch_back' cookie value. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id.
The vulnerability results from improper identity verification in the 'jay_login_register_process_switch_back' function, which incorrectly processes a cookie value with the same name. An attacker can provide a crafted cookie value containing the identifier of the selected user (user id), which causes login to that account without the need to provide a password. The account switching mechanism does not properly validate the requester's permissions, which classifies the vulnerability as CWE-565 (reliance on cookie value without validation).
An attacker can take full control of any user account, including administrator account, thereby gaining unlimited access to resources, data and the WordPress site management panel.
Patches available from the vendor should be applied according to references. An updated version of the plugin is available in the WordPress repository (changeset 3418754). Immediate plugin update is recommended as well as verification of access logs for unauthorized logins.
JAY Login & Register plugin for WordPress in versions up to and including 2.4.01
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H