Description
Missing Authorization vulnerability in Crocoblock JetBlog jet-blog allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects JetBlog: from n/a through <= 2.4.3.
Published: 2025-04-15
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The JetBlog plugin for WordPress contains a missing authorization flaw that allows attackers to invoke plugin functionality that is not protected by access control lists. The vulnerability is classified as CWE‑862 Missing Authorization and permits the use of endpoints that should be restricted to authorized users.

Affected Systems

This issue affects the Crocoblock JetBlog plugin from its earliest released build through version 2.4.3. Any WordPress installation running a vulnerable version of the plugin is impacted. No specific WordPress core versions are mentioned, and the impact is confined to the plugin's administrative and public call points.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, while the EPSS score of less than 1% suggests a low likelihood of observed exploitation. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is a remote web request; an attacker who can reach the WordPress site may craft requests targeting the unsecured plugin endpoints, bypassing authentication checks. Access to the unprotected functionality is gained by an attacker who can send such crafted requests.

Generated by OpenCVE AI on May 2, 2026 at 02:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update JetBlog to the latest version (≥2.4.4) where the missing authorization checks have been applied.
  • If an update is not immediately available, temporarily disable the JetBlog plugin or remove its administrative pages from the site to prevent exploitation until a patch can be applied.
  • Implement application‑level controls such as a web‑application firewall rule that blocks or rate‑limits requests to plugin endpoints, and ensure WordPress authentication mechanisms are properly enforced on all plugin URLs.

Generated by OpenCVE AI on May 2, 2026 at 02:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10937 Missing Authorization vulnerability in NotFound JetBlog allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects JetBlog: from n/a through 2.4.3.
History

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in NotFound JetBlog allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects JetBlog: from n/a through 2.4.3. Missing Authorization vulnerability in Crocoblock JetBlog jet-blog allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects JetBlog: from n/a through <= 2.4.3.
Title WordPress JetBlog <= 2.4.3 - Broken Access Control Vulnerability WordPress JetBlog plugin <= 2.4.3 - Broken Access Control Vulnerability
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Tue, 15 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 15 Apr 2025 12:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in NotFound JetBlog allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects JetBlog: from n/a through 2.4.3.
Title WordPress JetBlog <= 2.4.3 - Broken Access Control Vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:51:54.730Z

Reserved: 2025-02-17T11:51:33.745Z

Link: CVE-2025-26958

cve-icon Vulnrichment

Updated: 2025-04-15T14:31:14.287Z

cve-icon NVD

Status : Deferred

Published: 2025-04-15T12:15:20.880

Modified: 2026-04-29T10:16:43.157

Link: CVE-2025-26958

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T02:30:25Z

Weaknesses