Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetTabs jet-tabs allows DOM-Based XSS.This issue affects JetTabs: from n/a through <= 2.2.7.
Published: 2025-05-19
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of input during web page generation allows a DOM‑based XSS flaw in the JetTabs WordPress plugin. An attacker can inject and execute arbitrary JavaScript in the context of a site visitor's browser. This can lead to disclosure of session credentials, defacement, or execution of malicious code on the client side.

Affected Systems

The JetTabs plugin from Crocoblock, versions up to and including 2.2.7, is affected. Sites running any of these plugin versions on a WordPress installation are vulnerable.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium severity risk, while the EPSS score of less than 1% suggests a low likelihood of exploitation at this time. No entry in the CISA KEV catalog indicates the flaw is not currently being actively exploited in the wild. The likely attack vector is remote, where an unauthenticated user can craft malicious input or URLs that the plugin processes without proper sanitization, leading to execution in the victim's browser.

Generated by OpenCVE AI on April 30, 2026 at 19:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade JetTabs to the latest available version that is newer than 2.2.7.
  • If an upgrade is not possible, disable or remove the JetTabs plugin from the WordPress site.
  • Ensure that any user‑supplied content passed through JetTabs is properly sanitized to prevent script injection.

Generated by OpenCVE AI on April 30, 2026 at 19:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-27954 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetTabs allows DOM-Based XSS.This issue affects JetTabs: from n/a through 2.2.7.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetTabs allows DOM-Based XSS.This issue affects JetTabs: from n/a through 2.2.7. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetTabs jet-tabs allows DOM-Based XSS.This issue affects JetTabs: from n/a through <= 2.2.7.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 20 May 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 19 May 2025 17:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetTabs allows DOM-Based XSS.This issue affects JetTabs: from n/a through 2.2.7.
Title WordPress JetTabs plugin <= 2.2.7 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:31.920Z

Reserved: 2025-04-16T06:23:29.555Z

Link: CVE-2025-39450

cve-icon Vulnrichment

Updated: 2025-05-20T13:14:06.315Z

cve-icon NVD

Status : Deferred

Published: 2025-05-19T18:15:29.490

Modified: 2026-04-23T15:29:35.000

Link: CVE-2025-39450

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T19:45:26Z

Weaknesses