Simple JWT Login <= 3.6.6 - Authenticated (Subscriber+) Authentication Bypass to Privilege Escalation via 'payload' Parameter
Strategic Overview
<= 3.6.6CVE-2026-14262Vulnerability Overview
The Simple JWT Login – Allows you to use JWT on REST endpoints. plugin for WordPress is vulnerable to Authentication Bypass to Privilege Escalation in all versions up to, and including, 3.6.6 via the `payload` parameter. The vulnerability exists because `AuthenticateService::generatePayload()` only overwrites JWT payload keys whose names appear in the admin-configured `jwt_payload` list — leaving any attacker-supplied identity claims such as `email`, `id`, or `username` intact and signed into the JWT with the site's HS256 secret. This makes it possible for authenticated attackers, with subscriber-level access and above, to escalate their privileges to that of an Administrator by injecting a target administrator's email address into the `payload` parameter at the `/wp-json/simple-jwt-login/v1/auth` endpoint, then redeeming the resulting JWT at the `/autologin` endpoint to obtain a fully authenticated session as that administrator.
Technical Analysis
REMEDIATION: Update to version 3.6.7, or a newer patched version --- IDENTIFIER: CWE-269 (Improper Privilege Management) The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
External References
Vulnerability data © Defiant, Inc., provided under the Wordfence Intelligence T&C