CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-14262

highCVSS 8.8covered by 1 sourcefirst seen 2026-07-11
The Simple JWT Login – Allows you to use JWT on REST endpoints. plugin for WordPress is vulnerable to Authentication Bypass to Privilege Escalation in all versions up to, and including, 3.6.6 via the payload parameter. The vulnerability exists because AuthenticateService::generatePayload() only overwrites JWT payload keys whose names appear in the admin-configured jwt_payload list — leaving any attacker-supplied identity claims such as email, id, or username intact and signed into the JWT with the site's HS256 secret. This makes it possible for authenticated attackers, with subscriber-level access and above, to escalate their privileges to that of an Administrator by injecting a target administrator's email address into the payload parameter at the /wp-json/simple-jwt-login/v1/auth endpoint, then redeeming the resulting JWT at the /autologin endpoint to obtain a fully authenticated session as that administrator.

⚡ Watch CVE-2026-14262

Get an email if CVE-2026-14262 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-14262

CVE.org record

Embed the live status

CVE-2026-14262 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-14262 status](https://www.csirts.com/badge/CVE-2026-14262)](https://www.csirts.com/cve/CVE-2026-14262)