CVE-2025-68503

The JetBlog plugin for WordPress, versions 2.4.7 and earlier, contains a missing authorization vulnerability. The issue stems from a broken access control mechanism, where the plugin fails to properly verify user permissions or nonce tokens before executing certain higher-privileged actions [1]. This allows an unauthenticated attacker to exploit incorrectly configured access control security levels.

Attackers can exploit this vulnerability remotely without any authentication, as the missing authorization check does not require a valid user session. The attack surface is broad because the plugin is widely used, and the vulnerability can be leveraged in mass-exploit campaigns targeting thousands of websites simultaneously, regardless of their traffic or popularity [1].

Successful exploitation could allow an attacker to perform actions normally reserved for higher-privileged users, such as modifying or accessing sensitive data, depending on the specific missing authorization context. The CVSS v3 base score of 6.5 (Medium) reflects the potential for significant impact without requiring authentication [1].

The vulnerability has been addressed in version 2.4.7.1 of the JetBlog plugin. Users are strongly advised to update immediately. For those unable to update, contacting a hosting provider or web developer for assistance is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].