Cyber Resilience

CVE-2023-48758

High

Published: 02 January 2025

Published
02 January 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
EPSS Score 0.0021 43.4th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-48758 is a high-severity Missing Authorization (CWE-862) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2023-48758 is a missing authorization vulnerability (CWE-862) in the Crocoblock JetEngine WordPress plugin, enabling exploitation of incorrectly configured access control security levels. The issue affects JetEngine versions from n/a through 3.2.4.

With a CVSS v3.1 base score of 7.1 (High), the vulnerability is exploitable over the network (AV:N) with low complexity (AC:L) by low-privileged authenticated users (PR:L), requiring no user interaction (UI:N) and maintaining unchanged scope (S:U). Attackers can achieve low integrity impact (I:L) and high availability impact (A:H), no confidentiality impact (C:N), potentially allowing limited data modification and denial-of-service conditions.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/jet-engine/vulnerability/wordpress-jetengine-plugin-3-2-4-broken-access-control-vulnerability?_s_id=cve. The vulnerability was published on 2025-01-02T15:15:20.920.

EU & UK References

Vulnerability details

Missing Authorization vulnerability in Crocoblock JetEngine jet-engine allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JetEngine: from n/a through <= 3.2.4.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Missing authorization in a public-facing WordPress plugin directly enables remote exploitation of the application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-45209Shared CWE-862
CVE-2026-25026Shared CWE-862
CVE-2026-42083Shared CWE-862
CVE-2026-0656Shared CWE-862
CVE-2026-24532Shared CWE-862
CVE-2025-13603Shared CWE-862
CVE-2025-69063Shared CWE-862
CVE-2026-3045Shared CWE-862
CVE-2025-67956Shared CWE-862
CVE-2025-41765Shared CWE-862

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to system resources, directly countering the missing authorization vulnerability in JetEngine that allows low-privileged users to exploit access control security levels.

prevent

Requires timely identification, reporting, and correction of flaws like CVE-2023-48758 in JetEngine versions through <=3.2.4, preventing exploitation via patching.

prevent

Implements least privilege to restrict low-privileged users' capabilities, limiting the impact of unauthorized actions enabled by the missing authorization check.

References