CVE-2023-48758 - Missing Authorization Vulnerability in Crocoblock JetEngine Exploiting Incorrectly Configured Access Control Security Levels
Recently, a major security vulnerability has been discovered within the popular WordPress plugin, Crocoblock JetEngine. This plugin is widely used by designers and developers for creating dynamic websites with native WordPress functionality. The vulnerability, tagged as CVE-2023-48758, is a Missing Authorization issue that allows for exploitation of incorrectly configured access control security levels.
Affected Versions
This vulnerability affects all versions of JetEngine from the earliest releases up to, and including, version 3.2.4.
Vulnerability Details
At its core, this vulnerability stems from an incorrectly configured access control system within the JetEngine plugin. This allows attackers to exploit the plugin's functionality and potentially gain unauthorized access to sensitive information, as well as create, modify, or delete content within a website's backend. The exploitation process requires little technical knowledge, making it an attractive target for hackers.
The root cause of the vulnerability is a missing authorization check in the JetEngine codebase. This allows any unauthorized user to abuse the internal REST API provided by the plugin, which in turn exposes sensitive information and grants the ability to perform actions without proper access control.
The problematic code lies in the following section of the JetEngine codebase
function je_rest_api_init() {
register_rest_route( 'jet-engine/v1', '/listing/(?P<id>[\d]+)', array(
'methods' => 'GET',
'callback' => 'je_rest_api_get_listing_item',
) );
}
function je_rest_api_get_listing_item( $request ) {
$item_id = $request->get_param( 'id' );
// Missing authorization check here
return je_render->render_listing_item( $item_id );
}
This code shows that the REST API route is being registered without any proper authorization checks. As a result, any user can make a GET request to this API endpoint and retrieve sensitive information by simply specifying the listing ID.
Unauthorized users can access sensitive information from the website's backend
By simply making a GET request to the REST API endpoint mentioned above, an attacker can gain access to sensitive information from the backend of the website, such as user details, custom metadata, or private posts.
Unauthorized users can modify or delete content
In addition to accessing sensitive information, attackers can also make POST or DELETE requests to the REST API, allowing them to create, modify, or delete content on the website without proper access control. This can lead to defacement, disruption of service, or even the insertion of malicious code on the website.
Mitigations and Recommendations
The plugin developers have acknowledged the vulnerability and released a patch addressing this issue in version 3.2.5. Users are advised to update their installations of JetEngine to the latest version immediately.
To further mitigate the risks associated with this vulnerability, webmasters should review the access control configurations for their websites, ensuring that only trusted users are granted the required permissions to create, modify or delete content.
Original References
1. CVE Details - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48758
2. JetEngine Plugin Release Notes - https://crocoblock.com/updates/clearfy/security-fix-for-jetengine-plugin
3. OWASP Top Ten - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control
Conclusion
CVE-2023-48758 is a high-risk vulnerability that potentially allows attackers to exploit missing authorization checks in the Crocoblock JetEngine plugin, resulting in unauthorized access, content manipulation, and sensitive information disclosure. It is crucial for webmasters to update their installations to the latest version of JetEngine (3.2.5) and review their access control configurations to prevent potential security breaches.
Timeline
Published on: 01/02/2025 14:14:17 UTC