CVE-2023-1406 – This vulnerability in the JetEngine WordPress p... (How to Fix)

Q: What is the severity of CVE-2023-1406?

CVE-2023-1406 has a CVSS score of 8.8 (HIGH). This vulnerability in the JetEngine WordPress plugin allows attackers to upload files that can be executed as code, leading to remote code execution. It affects WordPress sites running JetEngine versions before 3.1.3.1. Attackers can potentially take full control of affected websites.

📋 TL;DR

This vulnerability in the JetEngine WordPress plugin allows attackers to upload files that can be executed as code, leading to remote code execution. It affects WordPress sites running JetEngine versions before 3.1.3.1. Attackers can potentially take full control of affected websites.

💻 Affected Systems

Products:

JetEngine WordPress plugin

Versions: All versions before 3.1.3.1

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations with vulnerable JetEngine plugin versions enabled.

📦 What is this software?

Jetengine For Elementor by Crocoblock

View all CVEs affecting Jetengine For Elementor →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the WordPress site, allowing attackers to execute arbitrary code, install backdoors, steal data, deface the site, or pivot to internal networks.

🟠

Likely Case

Attackers upload web shells or malicious scripts to gain persistent access, modify content, or install cryptocurrency miners.

🟢

If Mitigated

If proper file upload restrictions and web application firewalls are in place, exploitation attempts would be blocked or detected.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated user access, but low-privileged users may be sufficient. Multiple public proof-of-concepts exist.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.1.3.1 and later

Vendor Advisory: https://wpscan.com/vulnerability/2a81b6b1-2339-4889-9c28-1af133df8b65

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find JetEngine and click 'Update Now'. 4. Verify version is 3.1.3.1 or higher.

🔧 Temporary Workarounds

Disable file upload functionality

all

Temporarily disable file upload features in JetEngine if not essential

Web Application Firewall rules

all

Block suspicious file uploads and execution attempts

🧯 If You Can't Patch

Disable or remove the JetEngine plugin entirely
Implement strict file upload restrictions at the web server level

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → JetEngine version. If version is below 3.1.3.1, you are vulnerable.

Check Version:

wp plugin list --name=jetengine --field=version

Verify Fix Applied:

Confirm JetEngine version is 3.1.3.1 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads to JetEngine endpoints
Execution of PHP files in upload directories
Multiple failed upload attempts

Network Indicators:

POST requests to /wp-content/uploads/jet-engine/ with executable file extensions
Unusual outbound connections from web server

SIEM Query:

source="web_server" AND (uri_path="/wp-content/uploads/jet-engine/*" AND (file_extension="php" OR file_extension="phtml" OR file_extension="phar"))

📊 Metadata

CVE ID: CVE-2023-1406

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: April 10, 2023

Last Updated: February 11, 2025

🔗 References

https://wpscan.com/vulnerability/2a81b6b1-2339-4889-9c28-1af133df8b65 Exploit,Third Party Advisory
https://wpscan.com/vulnerability/2a81b6b1-2339-4889-9c28-1af133df8b65 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-1406, you might also want to check these: