Skip to main content

Crocoblock JetBlog CVE-2025-68503

MEDIUM
Missing Authorization (CWE-862)
2025-12-29 audit@patchstack.com
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
6.5 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 29, 2025 - 22:15 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in Crocoblock JetBlog jet-blog allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JetBlog: from n/a through <= 2.4.7.

AnalysisAI

Missing authorization in Crocoblock JetBlog plugin versions up to 2.4.7 allows unauthenticated attackers to exploit incorrectly configured access control, potentially bypassing intended security restrictions on blog content and administrative functions. The vulnerability stems from broken access control mechanisms that fail to properly validate user permissions before granting access to sensitive operations, with an EPSS score of 0.04% indicating low real-world exploitation probability despite the authorization defect.

Technical ContextAI

JetBlog is a WordPress plugin that provides advanced blog functionality and content management features. The vulnerability exists in the plugin's access control layer (CWE-862: Missing Authorization), which fails to properly validate whether a user has permission to access or modify protected resources. This typically occurs when WordPress nonce verification, capability checks, or role-based access controls are either missing or improperly implemented in plugin functions that handle blog operations, settings, or content management. The broken access control allows attackers to circumvent intended authorization boundaries without needing valid credentials.

Affected ProductsAI

Crocoblock JetBlog plugin for WordPress is affected in all versions from the earliest release through version 2.4.7 and prior. The plugin is available via the WordPress plugin repository and distributed through Crocoblock's ecosystem. Exact CPE data for the plugin variant is not independently confirmed from the provided intelligence, but the vulnerability applies to WordPress installations using JetBlog versions 2.4.7 or earlier.

RemediationAI

Update Crocoblock JetBlog to the latest available version greater than 2.4.7 immediately via the WordPress plugin dashboard (Plugins > Installed Plugins > JetBlog > Update Now), or download the latest release from the official Crocoblock website or WordPress plugin repository. If automatic updates are enabled, JetBlog should update automatically upon availability. Review access control settings and any custom permissions rules configured within JetBlog to ensure they are properly enforced post-upgrade. Monitor the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/jet-blog/vulnerability/wordpress-jetblog-plugin-2-4-7-broken-access-control-vulnerability for confirmation of patched version number.

Share

CVE-2025-68503 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy