The JetEngine plugin for WordPress suffers from a stored cross‑site scripting flaw that can be triggered through the list_tag parameter. The flaw stems from insufficient input sanitization and output escaping, allowing authenticated users with Contributor‑level access or higher to embed arbitrary web scripts. When a victim accesses a page containing the injected value, the malicious script executes in the victim’s browser, potentially leading to session hijacking, credential theft, defacement, or phishing attacks. This vulnerability grants attackers a persistent control over the user’s viewing context but does not provide remote code execution on the server side.

Crocoblock’s JetEngine plugin for WordPress in all releases up to and including version 3.6.2 is affected. Any site that has installed one of these vulnerable versions is at risk. The vulnerability remains in all prior releases of the plugin; upgrading to a later version completely removes the flaw.

The official CVSS score is 6.4, placing the issue in the medium severity range. The EPSS score of less than 1% indicates that exploitation attempts are relatively unlikely at present, and the vulnerability is not listed in the CISA KEV catalog. The attack requires the attacker to possess Contributor or higher credentials, which may be available through legitimate user roles. Once authenticated, the attacker submits a crafted value for the list_tag field, which then persists in the database and is rendered on the front‑end when the corresponding page is viewed. The impact is limited to browsers of authenticated or unfiltered users who view the injected content, but the attacker can leverage this to conduct session‑level attacks against those users.