CVE-2023-48758: 
WordPress vulnerability analysis and mitigation

The JetEngine WordPress plugin contains a Missing Authorization vulnerability (CVE-2023-48758) discovered on November 28, 2023. This security issue affects versions up to and including 3.2.4 of the plugin, which is developed by Crocoblock. The vulnerability stems from a missing capability check that could allow authenticated users with subscriber-level access and above to perform unauthorized actions (WPScan, Patchstack).

The vulnerability is classified as a Broken Access Control issue (CWE-862) and has received a CVSS v3.1 score of 7.1 (High), with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H. The security flaw is characterized by missing authorization checks that could lead to unauthorized access and actions by authenticated users (NVD, Patchstack).

The vulnerability allows authenticated attackers with subscriber-level access or higher to perform unauthorized actions within the JetEngine plugin. This represents a significant security risk as it could lead to unauthorized access and potential manipulation of plugin functionality (WPScan).

The vulnerability has been fixed in JetEngine version 3.2.5. Website administrators are strongly advised to update to this version or later immediately. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks (Patchstack).