{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-69333", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-31T20:12:23.433Z", "datePublished": "2026-01-07T11:52:24.090Z", "dateUpdated": "2026-04-28T16:14:37.719Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://crocoblock.com", "defaultStatus": "unaffected", "packageName": "jet-engine", "product": "JetEngine", "vendor": "Crocoblock", "versions": [{"changes": [{"at": "3.8.1.2", "status": "unaffected"}], "lessThanOrEqual": "3.8.1.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Bonds | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:44:01.853Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Crocoblock JetEngine jet-engine allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects JetEngine: from n/a through <= 3.8.1.1.</p>"}], "value": "Missing Authorization vulnerability in Crocoblock JetEngine jet-engine allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JetEngine: from n/a through <= 3.8.1.1."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:37.719Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/jet-engine/vulnerability/wordpress-jetengine-plugin-3-8-1-1-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress JetEngine plugin <= 3.8.1.1 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-07T14:20:08.799913Z", "id": "CVE-2025-69333", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-07T14:20:19.393Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-69333", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-07T14:20:08.799913Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-07T14:20:15.582Z"}}], "cna": {"title": "WordPress JetEngine plugin <= 3.8.1.1 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Bonds | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Crocoblock", "product": "JetEngine", "versions": [{"status": "affected", "changes": [{"at": "3.8.1.2", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "3.8.1.1"}], "packageName": "jet-engine", "collectionURL": "https://crocoblock.com", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:22:46.383Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/jet-engine/vulnerability/wordpress-jetengine-plugin-3-8-1-1-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Crocoblock JetEngine jet-engine allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JetEngine: from n/a through <= 3.8.1.1.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Crocoblock JetEngine jet-engine allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects JetEngine: from n/a through <= 3.8.1.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:00.241Z"}}}, "cveMetadata": {"cveId": "CVE-2025-69333", "state": "PUBLISHED", "dateUpdated": "2026-04-23T14:14:00.241Z", "dateReserved": "2025-12-31T20:12:23.433Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-07T11:52:24.090Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Crocoblock JetEngine jet-engine allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JetEngine: from n/a through <= 3.8.1.1."}], "id": "CVE-2025-69333", "lastModified": "2026-04-23T15:36:22.090", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-07T12:17:06.413", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/jet-engine/vulnerability/wordpress-jetengine-plugin-3-8-1-1-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T18:21:07.747265+00:00", "value": {"mitigation_remediation": ["Update the JetEngine plugin to version 3.8.1.2 or newer.", "Verify that all plugin settings enforce correct role restrictions.", "Review and tighten WordPress user roles, ensuring only authorized users have advanced capabilities.", "Monitor site logs for unauthorized changes and implement audit logging if not already in place."], "summary": {"action": "Patch", "impact": "Broken Access Control"}, "threat_synthesis": {"affected_systems": "Any WordPress site that has the Crocoblock JetEngine plugin installed with a version of 3.8.1.1 or earlier is affected. This includes all releases from the plugin\u2019s inception through 3.8.1.1.", "description_and_impact": "The vulnerability is a missing authorization flaw in the Crocoblock JetEngine plugin for WordPress versions up to 3.8.1.1. It allows an attacker to bypass role\u2011based access controls and perform operations that should be restricted, such as modifying content, creating or deleting database entries, or abusing plugin functionalities. The flaw is categorized as a broken access control weakness (CWE\u2011862).", "risk_and_exploitability": "The EPSS score is below 1\u202f%, indicating that the likelihood of current exploitation is low, and the vulnerability is not listed in CISA\u2019s KEV catalog. The CVSS score of 4.3 indicates moderate severity. Nonetheless, the impact of an exploitation would be significant, providing an attacker with elevated privileges and the ability to manipulate or destroy site data. Exploitation would require the attacker to target the plugin\u2019s endpoints, which lack proper authorization checks, and does not appear to require privileged credentials on the host."}}}}, "created": "2026-01-08T09:49:07.686049+00:00", "updated": "2026-04-28T18:30:37.329756+00:00", "vendors": ["crocoblock", "crocoblock$PRODUCT$jetengine", "wordpress", "wordpress$PRODUCT$wordpress"]}