WordPress Plugin Vulnerabilities

JetEngine < 3.2.5 - Missing Authorization

Description

The JetEngine plugin for WordPress is vulnerable to unauthorized access due to a missing capability check in versions up to, and including, 3.2.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.

Affects Plugins

Plugin icon
jet-engine
Fixed in 3.2.5

References

CVE
CVE-2023-48758
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/3f2c97f4-0a6e-4693-a6c8-bd81ca76988c

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
7.1 (high)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
e39b5074-8b68-466a-9663-ef492f55765a

Timeline

Publicly Published
2023-11-28 (about 2 years ago)
Added
2023-12-08 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2026-02-13
Title
Starfish Review Generation & Marketing <= 3.1.19 - Subscriber+ Arbitrary Options Update
Published
2026-01-11
Title
PopCash.Net Code Integration Tool <= 1.8 - Missing Authorization
Published
2024-11-21
Title
Ultimate YouTube Video & Shorts Player With Vimeo <= 3.3 - Missing Authorization to Authenticated (Subscriber+) Setting Exposure
Published
2025-04-17
Title
WP Logger < 2.2.1 - Missing Authorization
Published
2025-11-04
Title
ZoloBlocks < 2.3.12 - Missing Authorization