Description
Missing Authorization vulnerability in Crocoblock JetWooBuilder jet-woo-builder allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects JetWooBuilder: from n/a through <= 2.1.18.
Published: 2025-05-19
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from missing authorization checks in the JetWooBuilder plugin, allowing attackers to invoke functions that should be limited by access control lists. This can result in unauthorized manipulation or execution of plugin features, potentially leading to data tampering, content injection, or other illicit actions within the WordPress site. The flaw is a classic broken access control issue, identified as CWE-862, which permits privilege escalation or unauthorized use of restricted functionality.

Affected Systems

WordPress sites that have the Crocoblock JetWooBuilder plugin installed at version 2.1.18 or earlier are affected. The flaw exists in all releases up to that point, and any instance using the plugin in that version range is vulnerable. Administrators should check their site for the presence of the plugin and its version number.

Risk and Exploitability

Based on the description, it is inferred that the likely attack vector is direct access to the plugin's endpoints from a remote web browser. With a CVSS score of 7.5 the flaw is considered high severity, yet the EPSS score of less than 1% indicates a very low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Attackers can likely exploit the flaw by directly accessing the affected plugin endpoints from a remote web browser, bypassing normal role checks and executing privileged operations without appropriate authorization.

Generated by OpenCVE AI on May 1, 2026 at 08:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the JetWooBuilder plugin to the latest version that includes the authorization fix, ensuring the version is newer than 2.1.18.
  • If immediate update is not possible, employ a web application firewall or security plugin to block or monitor calls to the plugin’s restricted endpoints as a temporary safeguard.
  • Review and tighten user roles on the WordPress site, removing unused administrator accounts and enforcing least privilege to reduce the impact scope if an attacker gains access.

Generated by OpenCVE AI on May 1, 2026 at 08:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15755 Missing Authorization vulnerability in Crocoblock JetWooBuilder allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects JetWooBuilder: from n/a through 2.1.18.
History

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Crocoblock JetWooBuilder allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects JetWooBuilder: from n/a through 2.1.18. Missing Authorization vulnerability in Crocoblock JetWooBuilder jet-woo-builder allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects JetWooBuilder: from n/a through <= 2.1.18.
Title WordPress JetWooBuilder <= 2.1.18 - Broken Access Control Vulnerability WordPress JetWooBuilder plugin <= 2.1.18 - Broken Access Control Vulnerability
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Mon, 19 May 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 19 May 2025 19:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Crocoblock JetWooBuilder allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects JetWooBuilder: from n/a through 2.1.18.
Title WordPress JetWooBuilder <= 2.1.18 - Broken Access Control Vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:51:55.209Z

Reserved: 2025-04-16T06:23:29.555Z

Link: CVE-2025-39449

cve-icon Vulnrichment

Updated: 2025-05-19T21:14:23.649Z

cve-icon NVD

Status : Deferred

Published: 2025-05-19T19:15:50.023

Modified: 2026-04-29T10:16:46.943

Link: CVE-2025-39449

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T08:30:12Z

Weaknesses