WordPress Plugin Vulnerabilities

JetElements For Elementor < 2.6.13.1 - Missing Authorization to Unauthenticated Arbitrary Attachment Download

Description

The JetElements plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on an unknown function in all versions up to, and including, 2.6.13. This makes it possible for unauthenticated attackers to download arbitrary attachments.

Affects Plugins

Plugin icon
jet-elements
Fixed in 2.6.13.1

References

CVE
CVE-2023-48759
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/d199e597-64ed-4dcc-a153-b5c8e4e9e93d

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
cf9c4f4f-d7ba-41c5-b817-61f5879119f8

Timeline

Publicly Published
2023-11-28 (about 2 years ago)
Added
2023-12-08 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2025-01-29
Title
Bulk Menu Edit < 1.3.1 - Missing Authorization
Published
2025-09-22
Title
Smart Blocks < 2.5 - Missing Authorization
Published
2025-01-16
Title
Salvador – AI Image Generator <= 1.0.11 - Missing Authorization
Published
2024-09-03
Title
The Ultimate WordPress Toolkit – WP Extended < 3.0.9 - Missing Authorization to Admin Username Change
Published
2025-12-30
Title
Civic Cookie Control < 1.54 - Missing Authorization