Cybersecurity Vulnerabilities

CVE-2025-12822: Critical API Key Generation Flaw in WP Login and Register using JWT Plugin

November 19, 2025 - By 

Overview

CVE-2025-12822 is a medium severity vulnerability discovered in the “WP Login and Register using JWT” plugin for WordPress. This vulnerability allows authenticated attackers, even with Subscriber-level access, to generate a new API key on vulnerable sites that don’t already have one configured. This unauthorized API key can then be used to access restricted plugin endpoints, potentially leading to data breaches or further exploitation.

This vulnerability affects all versions of the plugin up to, and including, 3.0.0.

Technical Details

The vulnerability stems from a missing capability check on the mo_jwt_generate_new_api_key function. This function, intended for administrators, lacks proper access control. As a result, any authenticated user (Subscriber and above) can trigger the function, generating a new API key if one doesn’t already exist.

Attackers can exploit this vulnerability by sending a crafted request to the vulnerable endpoint. The newly generated API key grants unauthorized access to various plugin functionalities, bypassing intended security restrictions.

CVSS Analysis

  • CVE ID: CVE-2025-12822
  • Severity: MEDIUM
  • CVSS Score: 4.3

A CVSS score of 4.3 indicates a medium severity vulnerability. While the impact could be significant, the exploitability is somewhat limited by the requirement of an existing user account (even with low privileges).

Possible Impact

Successful exploitation of CVE-2025-12822 can lead to several negative consequences:

  • Unauthorized Data Access: Attackers can access sensitive data protected by the plugin’s API endpoints.
  • Account Takeover: Depending on the API functionality exposed, attackers might be able to escalate privileges or take over user accounts.
  • Data Modification: If the exposed API endpoints allow it, attackers could modify or delete data within the WordPress site.
  • Further Exploitation: The vulnerability can act as a stepping stone for more complex attacks targeting the WordPress site.

Mitigation and Patch Steps

The recommended mitigation is to update the “WP Login and Register using JWT” plugin to the latest version. The vulnerability has been patched in versions later than 3.0.0.

  1. Update the Plugin: Navigate to the WordPress admin dashboard, go to the “Plugins” section, and update the “WP Login and Register using JWT” plugin to the latest available version.
  2. Verify API Key Usage (If possible): If you suspect unauthorized API key generation, monitor the plugin’s logs (if available) for unusual API activity.

References

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *