CVE-2025-26958: 
WordPress vulnerability analysis and mitigation

The CVE-2025-26958 is a Missing Authorization vulnerability affecting JetBlog versions through 2.4.3. The vulnerability allows accessing functionality not properly constrained by Access Control Lists (ACLs). The issue was discovered and disclosed on April 15, 2025, by security researcher stealthcopter (Patchstack).

The vulnerability is classified as a Broken Access Control issue (CWE-862) with a CVSS v3.1 Base Score of 7.5 (HIGH). The attack vector is characterized by CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating that it can be exploited over the network, requires low attack complexity, needs no privileges, and requires no user interaction (Patchstack).

The vulnerability allows unprivileged users to execute certain higher privileged actions due to missing authorization, authentication, or nonce token checks. This could lead to unauthorized access to protected functionality within the JetBlog plugin (Patchstack).

The vulnerability has been fixed in JetBlog version 2.4.3.1. Users are advised to update to this version or later to remove the vulnerability. The security issue is considered to have a low severity impact and is unlikely to be exploited (Patchstack).