WordPress Plugin Vulnerabilities

JetEngine < 3.2.5 - Authenticated (Contributor+) Privilege Escalation

Description

The JetEngine plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.2.4. This is due to an unknown issue. This makes it possible for authenticated attackers, with contributor-level access and above, to gain elevated privileges.

Affects Plugins

Plugin icon
jet-engine
Fixed in 3.2.5

References

CVE
CVE-2023-48757
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/ad66015d-7831-4590-9583-3abf7ca43c3b

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
a3b91164-6e0a-423f-8db5-4a0f250bbc53

Timeline

Publicly Published
2023-11-28 (about 2 years ago)
Added
2023-12-08 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2023-06-02
Title
Page Builder by AZEXO <= 1.27.133 - Subscriber+ Post Creation
Published
2024-01-16
Title
User Profile Builder < 3.10.9 - Missing Authorization to Plugin Settings Change via wppb_two_factor_authentication_settings_update
Published
2024-02-21
Title
Maintenance Page < 1.0.9 - Missing Authorization to Sensitive Information Exposure
Published
2021-04-20
Title
Redirection for Contact Form 7 < 2.3.4 - Unprotected AJAX Actions
Published
2022-12-28
Title
Optimize images ALT Text (alt tag) & names for SEO using AI < 2.0.8 - Settings Update via CSRF