Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetEngine jet-engine allows DOM-Based XSS.This issue affects JetEngine: from n/a through <= 3.6.4.1.
Published: 2025-04-15
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper Neutralization of Input During Web Page Generation (CWE‑79) in the Crocoblock JetEngine WordPress plugin permits the injection of arbitrary script when unsanitized user input is rendered. This DOM‑based XSS causes the injected code to run in the victim’s browser. Based on the nature of XSS, the attacker could potentially steal cookies, hijack sessions, or perform actions as the user; this is inferred from typical XSS impact and is not explicitly stated in the CVE description. The vulnerability affects only client‑side code, so it does not grant remote code execution on the server.

Affected Systems

The flaw affects all installations of the JetEngine plugin version 3.6.4.1 and earlier. It does not impact other Crocoblock products or later plugin releases. Systems running WordPress sites with this plugin exposed to the network should be assessed for the vulnerable version.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium severity vulnerability. The EPSS score of less than 1 % suggests a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalogue. Attackers would need to deliver a crafted request that includes the unsanitized input, typically via a user‑sourced field or URL parameter. While this could be done remotely, the requirement for user interaction is inferred from the DOM‑based nature and is not explicitly stated.

Generated by OpenCVE AI on May 2, 2026 at 02:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the JetEngine plugin to version 3.6.4.2 or later, ensuring the XSS fix is applied.
  • If an update is unavailable or delayed, disable the JetEngine plugin entirely on the affected WordPress site to eliminate the attack surface.
  • Conduct a thorough review of the site’s input handling and sanitize all user‑supplied data to safeguard against future XSS flaws.

Generated by OpenCVE AI on May 2, 2026 at 02:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11123 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound JetEngine allows DOM-Based XSS. This issue affects JetEngine: from n/a through 3.6.4.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound JetEngine allows DOM-Based XSS. This issue affects JetEngine: from n/a through 3.6.4.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetEngine jet-engine allows DOM-Based XSS.This issue affects JetEngine: from n/a through <= 3.6.4.1.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 16 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 15 Apr 2025 22:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound JetEngine allows DOM-Based XSS. This issue affects JetEngine: from n/a through 3.6.4.1.
Title WordPress JetEngine plugin <= 3.6.4.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:40.858Z

Reserved: 2025-02-17T11:49:35.312Z

Link: CVE-2025-26870

cve-icon Vulnrichment

Updated: 2025-04-16T14:58:03.100Z

cve-icon NVD

Status : Deferred

Published: 2025-04-15T22:15:17.503

Modified: 2026-04-23T15:25:58.300

Link: CVE-2025-26870

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T02:30:25Z

Weaknesses