CVE-2023-48758
Published: 02 January 2025
Summary
CVE-2023-48758 is a high-severity Missing Authorization (CWE-862) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2023-48758 is a missing authorization vulnerability (CWE-862) in the Crocoblock JetEngine WordPress plugin, enabling exploitation of incorrectly configured access control security levels. The issue affects JetEngine versions from n/a through 3.2.4.
With a CVSS v3.1 base score of 7.1 (High), the vulnerability is exploitable over the network (AV:N) with low complexity (AC:L) by low-privileged authenticated users (PR:L), requiring no user interaction (UI:N) and maintaining unchanged scope (S:U). Attackers can achieve low integrity impact (I:L) and high availability impact (A:H), no confidentiality impact (C:N), potentially allowing limited data modification and denial-of-service conditions.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/jet-engine/vulnerability/wordpress-jetengine-plugin-3-2-4-broken-access-control-vulnerability?_s_id=cve. The vulnerability was published on 2025-01-02T15:15:20.920.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-52791
Vulnerability details
Missing Authorization vulnerability in Crocoblock JetEngine jet-engine allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JetEngine: from n/a through <= 3.2.4.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization in a public-facing WordPress plugin directly enables remote exploitation of the application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for access to system resources, directly countering the missing authorization vulnerability in JetEngine that allows low-privileged users to exploit access control security levels.
Requires timely identification, reporting, and correction of flaws like CVE-2023-48758 in JetEngine versions through <=3.2.4, preventing exploitation via patching.
Implements least privilege to restrict low-privileged users' capabilities, limiting the impact of unauthorized actions enabled by the missing authorization check.