CVE-2025-26953 Overview
CVE-2025-26953 is a Missing Authorization vulnerability [CWE-862] in the Crocoblock JetMenu plugin for WordPress. The flaw affects JetMenu versions up to and including 2.4.9 and allows attackers to access functionality that is not properly constrained by access control lists (ACLs). The vulnerability is exploitable remotely over the network without authentication or user interaction. Successful exploitation leads to unauthorized access to plugin functionality, with confidentiality impact on affected WordPress sites.
Critical Impact
Unauthenticated remote attackers can reach JetMenu functionality that should require authorization, exposing sensitive plugin data and operations on vulnerable WordPress sites.
Affected Products
- Crocoblock JetMenu plugin for WordPress
- JetMenu versions from unspecified initial release through 2.4.9
- WordPress sites running JetMenu <= 2.4.9
Discovery Timeline
- 2025-04-15 - CVE-2025-26953 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2025-26953
Vulnerability Analysis
The vulnerability is a Broken Access Control issue in the JetMenu WordPress plugin. JetMenu exposes plugin functionality through endpoints that fail to verify whether the requesting user is authorized to invoke them. An unauthenticated attacker can issue crafted HTTP requests to these endpoints and reach functionality intended for privileged users.
The CWE-862 classification indicates the code path does not perform an authorization check before executing sensitive operations. This pattern is common in WordPress plugins that register AJAX or REST handlers without calling capability checks such as current_user_can() or verifying a valid nonce with check_ajax_referer().
The impact is scoped to confidentiality. Attackers can read information or invoke functionality that would otherwise require an authenticated session. Integrity and availability are not directly affected according to the CVSS vector.
Root Cause
The root cause is the absence of authorization checks on one or more JetMenu request handlers. The plugin registers callable endpoints but does not enforce capability verification, role checks, or nonce validation before executing the underlying logic. Any caller able to reach the WordPress request endpoint can invoke the affected functionality.
Attack Vector
An attacker sends a direct HTTP request to the vulnerable JetMenu endpoint on a target WordPress site. No credentials, session, or user interaction are required. The request reaches the handler, which executes without verifying the caller's permissions. The exact endpoints and parameters are documented in the Patchstack JetMenu Vulnerability Advisory.
No public proof-of-concept exploit code is currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS probability is 0.272% (50.6 percentile) as of 2026-05-19.
Detection Methods for CVE-2025-26953
Indicators of Compromise
- Unauthenticated HTTP POST or GET requests to WordPress AJAX endpoints (/wp-admin/admin-ajax.php) referencing JetMenu actions from unexpected source IP addresses.
- Requests to JetMenu REST routes originating from clients that have not authenticated to the WordPress site.
- Web server access logs showing successful (HTTP 200) responses to JetMenu plugin endpoints from anonymous sessions.
Detection Strategies
- Inventory all WordPress installations and identify those running JetMenu <= 2.4.9 using plugin version scanning.
- Review WordPress and reverse-proxy access logs for repeated requests to JetMenu action handlers without an authenticated wordpress_logged_in_* cookie.
- Deploy web application firewall rules that flag direct access to JetMenu AJAX or REST endpoints from unauthenticated sessions.
Monitoring Recommendations
- Forward WordPress access logs and PHP error logs to a centralized log platform for correlation and retention.
- Alert on anomalous request volumes targeting admin-ajax.php with JetMenu action parameters.
- Track plugin inventory and version drift across all managed WordPress sites to identify unpatched installations.
How to Mitigate CVE-2025-26953
Immediate Actions Required
- Update the JetMenu plugin to a version later than 2.4.9 as soon as the vendor publishes a fixed release.
- If a patched version is not yet available, deactivate the JetMenu plugin on exposed sites until a fix is released.
- Restrict access to /wp-admin/admin-ajax.php and JetMenu REST routes at the WAF or reverse proxy where feasible.
Patch Information
The vulnerability affects JetMenu versions up to and including 2.4.9. Refer to the Patchstack JetMenu Vulnerability Advisory for the latest fixed version information and vendor remediation guidance. Apply the vendor-supplied patch through the WordPress plugin update mechanism.
Workarounds
- Disable the JetMenu plugin until an updated version is installed.
- Apply a virtual patch through a WordPress-aware WAF (such as Patchstack or Wordfence) that blocks unauthenticated requests to the affected JetMenu endpoints.
- Restrict administrative WordPress endpoints to known IP ranges where business requirements allow.
# Example WordPress-CLI command to check installed JetMenu version
wp plugin get jet-menu --field=version
# Deactivate JetMenu as a temporary mitigation
wp plugin deactivate jet-menu
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
