CVE-2023-47788 – This CVE describes a Missing Authorization vuln... (How to Fix)

Q: What is the severity of CVE-2023-47788?

CVE-2023-47788 has a CVSS score of 4.3 (MEDIUM). This CVE describes a Missing Authorization vulnerability in Automattic's Jetpack WordPress plugin that allows contributors to perform actions they shouldn't be authorized for. It affects all WordPress sites using Jetpack versions before 12.7. The vulnerability enables broken access control where contributor-level users can bypass intended restrictions.

📋 TL;DR

This CVE describes a Missing Authorization vulnerability in Automattic's Jetpack WordPress plugin that allows contributors to perform actions they shouldn't be authorized for. It affects all WordPress sites using Jetpack versions before 12.7. The vulnerability enables broken access control where contributor-level users can bypass intended restrictions.

💻 Affected Systems

Products:

WordPress Jetpack Plugin

Versions: All versions before 12.7

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations with Jetpack plugin installed and contributor users enabled.

📦 What is this software?

Jetpack by Automattic

View all CVEs affecting Jetpack →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Contributors could modify or delete content they shouldn't have access to, potentially defacing websites or removing critical content.

🟠

Likely Case

Contributors gaining unauthorized access to edit or manage content beyond their intended permissions, leading to content integrity issues.

🟢

If Mitigated

With proper role-based access controls and monitoring, impact would be limited to minor unauthorized content modifications that could be detected and reverted.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires contributor-level access, making exploitation straightforward for users with those credentials.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 12.7

Vendor Advisory: https://patchstack.com/database/vulnerability/jetpack/wordpress-jetpack-plugin-12-7-contributor-broken-access-control-vulnerability

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Jetpack and click 'Update Now' if available. 4. Alternatively, download Jetpack 12.7+ from WordPress.org and upload via FTP.

🔧 Temporary Workarounds

Disable Contributor Role

all

Temporarily disable or restrict contributor user accounts until patching is complete.

Role Capability Restrictions

all

Use role management plugins to further restrict contributor capabilities.

🧯 If You Can't Patch

Implement strict monitoring of contributor user activities and content changes
Apply additional access control layers through security plugins or custom code

🔍 How to Verify

Check if Vulnerable:

Check Jetpack version in WordPress admin under Plugins → Installed Plugins. If version is below 12.7, you are vulnerable.

Check Version:

wp plugin list --name=jetpack --field=version

Verify Fix Applied:

Confirm Jetpack version is 12.7 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unauthorized content modifications by contributor users
Unexpected POST requests to admin-ajax.php or REST API endpoints

Network Indicators:

Unusual contributor-level API calls to WordPress admin endpoints

SIEM Query:

source="wordpress.log" AND (user_role="contributor" AND action IN ("edit_post", "delete_post", "publish_post"))

📊 Metadata

CVE ID: CVE-2023-47788

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-862

Published: June 19, 2024

Last Updated: January 23, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-47788, you might also want to check these: