{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12822", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-06T18:44:15.837Z", "datePublished": "2025-11-19T05:45:15.251Z", "dateUpdated": "2026-04-08T17:10:14.150Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:10:14.150Z"}, "affected": [{"vendor": "cyberlord92", "product": "WP Login and Register using JWT", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.0.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Login and Register using JWT plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'mo_jwt_generate_new_api_key' function in all versions up to, and including, 3.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to generate a new API key on site's that do not have an API key configured and subsequently use that to access restricted endpoints."}], "title": "WP Login and Register using JWT <= 3.0.0 - Missing Authorization to Authenticated (Subscriber+) API Key Exposure", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/966523a4-3d4b-444b-b9d0-63c72527a99f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3397900%40login-register-using-jwt&new=3397900%40login-register-using-jwt&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "timeline": [{"time": "2025-11-06T19:00:51.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-11-18T17:17:49.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-19T18:43:07.788647Z", "id": "CVE-2025-12822", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-19T18:43:17.593Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12822", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-19T18:43:07.788647Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-19T18:43:13.844Z"}}], "cna": {"title": "WP Login and Register using JWT <= 3.0.0 - Missing Authorization to Authenticated (Subscriber+) API Key Exposure", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "cyberlord92", "product": "WP Login and Register using JWT", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.0.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-06T19:00:51.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-11-18T17:17:49.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/966523a4-3d4b-444b-b9d0-63c72527a99f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3397900%40login-register-using-jwt&new=3397900%40login-register-using-jwt&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The WP Login and Register using JWT plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'mo_jwt_generate_new_api_key' function in all versions up to, and including, 3.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to generate a new API key on site's that do not have an API key configured and subsequently use that to access restricted endpoints."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:10:14.150Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12822", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:10:14.150Z", "dateReserved": "2025-11-06T18:44:15.837Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-19T05:45:15.251Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Login and Register using JWT plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'mo_jwt_generate_new_api_key' function in all versions up to, and including, 3.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to generate a new API key on site's that do not have an API key configured and subsequently use that to access restricted endpoints."}], "id": "CVE-2025-12822", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-19T06:15:46.803", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3397900%40login-register-using-jwt&new=3397900%40login-register-using-jwt&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/966523a4-3d4b-444b-b9d0-63c72527a99f?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T18:09:49.622964+00:00", "value": {"mitigation_remediation": ["Upgrade the WP Login and Register using JWT plugin to a version later than 3.0.0 that includes the authorization check for the key generation function.", "If a newer version is not yet available, immediately revoke, disable, or delete any API keys that may have been generated while the plugin was vulnerable, and audit your logs for unauthorized key creation.", "As a temporary protective measure, restrict the \"wp-json/mo-jwt/generate\" endpoint to admin\u2011level users only using a security plugin or .htaccess rules, or de\u2011activate the plugin if it is no longer required.", "Monitor site logs and API traffic for unexpected key usage and block offending IP addresses with firewall rules or security plugin settings."], "summary": {"action": "Patch Plugin", "impact": "Unauthorized API Key Generation and Restricted Endpoint Access"}, "threat_synthesis": {"affected_systems": "The affected vendor is cyberlord92 and the product is the WP Login and Register using JWT plugin for WordPress. All released versions up to and including 3.0.0 are vulnerable. WordPress sites that have this plugin installed and have not yet upgraded beyond 3.0.0 should be considered affected.", "description_and_impact": "The WP Login and Register using JWT plugin for WordPress contains a missing capability check on the mo_jwt_generate_new_api_key function. Because the function does not verify that the caller has the required permission, any authenticated user with Subscriber level or higher can request a new API key even when no key is already configured. The generated key then grants the attacker access to protected API endpoints, exposing sensitive site data. This flaw maps to CWE\u2011862: Missing Authorization.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate impact when the vulnerable action is performed. The EPSS score of less than 1% suggests that the probability of exploitation is currently low, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote; an attacker must first authenticate with the site, but once logged in as a Subscriber or higher, they can invoke the API key generation endpoint and subsequently use the key to call other authenticated endpoints. Although no public exploit is currently known, the ease of the operation and the requirement of only a valid authenticated session make this a threat that should be mitigated promptly."}}}}, "created": "2025-11-21T09:15:59.187649+00:00", "updated": "2026-04-21T18:15:36.374827+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}