CVE-2026-14262 is a high-severity authentication bypass and privilege escalation vulnerability in the Simple JWT Login WordPress plugin affecting all versions up to and including 3.6.6. The flaw is in the plugin's JWT payload generation logic, specifically in AuthenticateService::generatePayload(), which only overwrites JWT payload fields whose names are explicitly present in the administrator-configured jwt_payload list. As a result, attacker-controlled identity claims that are not overwritten, such as email, id, or username, can remain in the token payload and be signed by the application using the site's HS256 secret. An authenticated attacker with subscriber-level access or higher can supply crafted identity data in the payload parameter to the plugin's authentication REST endpoint, obtain a valid signed JWT containing forged administrator identity attributes, and then use the plugin's autologin functionality to establish a fully authenticated session as the targeted administrator.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.