Jetpack < 12.7 – Improper Authorization via WPCom External Media REST endpoints | CVE 2023-47788 | Plugin Vulnerabilities

Description

The Jetpack plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the WPCom External Media REST permission_callback function in versions up to and including 12.6.2. This makes it possible for authenticated attackers, with contributor-level access and above, to import external media even without the upload_files capability.

Affects Plugins

Fixed in 12.7

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/e62fa16f-a4a1-44a7-9a66-abafd8dddf67

Classification

Type

INCORRECT AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Rafie Muhammad

Verified

No

WPVDB ID

cce4ac0a-777f-4dde-b86e-614a224dbf6e

Timeline

Publicly Published

2023-11-16 (about 2 years ago)

Added

2023-11-24 (about 2 years ago)

Last Updated

2023-11-24 (about 2 years ago)

Other

Published

Title

Published

2026-01-09

Title

Blog2Social: Social Media Auto Post & Scheduler < 8.7.3 - Incorrect Authorization to Authenticated (Subscriber+) Sensitive Information Exposure

Published

2025-04-24

Title

Prevent Direct Access 2.8.6 - 2.8.8.2 - Incorrect Authorization to Authenticated (Contributor+) Multiple Media Actions

Published

2025-07-01

Title

Soumettre.fr <= 2.1.5 - Unauthenticated Soumettre Posts Creation/Modification/Deletion

Published

2024-10-14

Title

Jetpack < 13.9.1 - Subscriber+ Arbitrary Feedback Access

Published

2025-09-11

Title

Recipe Card Blocks for Gutenberg & Elementor < 3.4.9 - Incorrect Authorization