The flaw is a missing authorization check in Crocoblock JetBlog plugin version 2.4.7 and earlier. The plugin allows attackers to bypass configured access control levels, enabling them to perform actions reserved for higher‑privilege users such as creating, editing or deleting content, or accessing restricted data. This issue is classified as CWE‑862 and can lead to unauthorized modification of site content and potential exposure of sensitive information. The lack of proper authorization ensures that any authenticated user can exploit the vulnerability if the plugin's settings are not properly configured.

The vulnerability affects Crocoblock JetBlog plugin for WordPress, all releases up to and including version 2.4.7. The problem is present in the core plugin code and any custom implementations that rely on the same access‑control logic. Because the plugin is widely used in sites that embed blog posts within a larger website, the issue could impact a broad range of WordPress installations that have not yet applied the latest patch.

The CVSS score of 6.5 indicates a medium impact, while the EPSS score of less than 1% suggests that exploitation is unlikely but still possible. The vulnerability is not listed in the CISA KEV catalog, and no publicly disclosed exploit is known at the time of analysis. However, attackers could still craft requests that leverage the missing authorization check, especially if the target site has a large author or editor user base. The attack vector is inferred to be remote exploitation through the WordPress admin interface or plugin endpoints, and it requires at least authenticated access unless the site's configuration permits unauthenticated users to reach JetBlog functionality.