Skip to main content

Crocoblock JetTabs CVE-2025-68498

MEDIUM
Missing Authorization (CWE-862)
2025-12-30 audit@patchstack.com
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
6.5 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 30, 2025 - 00:15 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in Crocoblock JetTabs jet-tabs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JetTabs: from n/a through <= 2.2.12.

AnalysisAI

Missing authorization in Crocoblock JetTabs WordPress plugin version 2.2.12 and earlier allows unauthenticated or low-privileged attackers to bypass access control restrictions and exploit misconfigured security levels. The vulnerability stems from improper validation of user permissions before executing sensitive operations, potentially enabling unauthorized access to restricted plugin functionality or data.

Technical ContextAI

The Crocoblock JetTabs plugin (CPE: wp:crocoblock:jettabs) is a WordPress extension for creating tabbed content interfaces. The vulnerability is classified as CWE-862 (Missing Authorization), indicating the application fails to verify whether a user has appropriate permissions before granting access to protected resources or operations. WordPress plugins operate within the wp-admin and frontend environments where access control should be enforced via capability checks (e.g., current_user_can()) and nonce verification. The absence of these checks allows attackers to directly invoke restricted functionality regardless of their role or authentication status.

Affected ProductsAI

Crocoblock JetTabs WordPress plugin versions 2.2.12 and earlier (CPE: wp:crocoblock:jettabs). The vulnerability affects all installations within this version range running on WordPress environments. Details and advisory information are available from the Patchstack vulnerability database at https://patchstack.com/database/Wordpress/Plugin/jet-tabs/vulnerability/wordpress-jettabs-plugin-2-2-12-broken-access-control-vulnerability?_s_id=cve.

RemediationAI

Upgrade the Crocoblock JetTabs plugin to a version newer than 2.2.12 immediately. Consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/jet-tabs/vulnerability/wordpress-jettabs-plugin-2-2-12-broken-access-control-vulnerability for the exact patched version number and download link. If an immediate upgrade is not possible, temporarily disable the JetTabs plugin until patched. Additionally, review WordPress user roles and capabilities to ensure only trusted administrators have access to sensitive plugin features, and regularly audit access logs for unauthorized API calls or admin action attempts targeting JetTabs functionality.

Share

CVE-2025-68498 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy