Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Crocoblock JetSearch jet-search allows Blind SQL Injection.This issue affects JetSearch: from n/a through <= 3.5.10.
Published: 2025-10-22
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows an attacker to perform a blind SQL injection by sending specially crafted input that is not properly escaped before being incorporated into an SQL statement. The flaw resides in the JetSearch plugin for WordPress, where user-supplied data is concatenated into a query without adequate sanitization. If successfully exploited, an attacker could read, modify, or delete data in the site's database, potentially compromising sensitive information hosted by the website.

Affected Systems

The affected product is the Crocoblock JetSearch plugin for WordPress, version 3.5.10 and all earlier releases. Organizations running a WordPress site with JetSearch up to and including 3.5.10 are vulnerable. No specific operating system or WordPress version is noted, so any environment that hosts the plugin is impacted.

Risk and Exploitability

With a CVSS score of 9.3, this flaw is considered critical. The EPSS score of less than 1% indicates that the likelihood of exploitation in the wild is currently believed to be very low, and the vulnerability is not listed in CISA KEV. Based on the description, the likely attack vector is remote, via an HTTP request to the plugin's endpoint, but the exact conditions required to trigger the injection are not detailed in the source. The risk level remains high because a successful exploit would grant an attacker database-level access.

Generated by OpenCVE AI on April 30, 2026 at 05:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Crocoblock JetSearch to a version newer than 3.5.10
  • If an update is not immediately possible, temporarily remove or disable the JetSearch plugin to prevent exploitation
  • Monitor database activity for signs of unauthorized queries or data exfiltration

Generated by OpenCVE AI on April 30, 2026 at 05:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N'}

 cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CrocoBlock JetSearch jet-search allows Blind SQL Injection.This issue affects JetSearch: from n/a through <= 3.5.10. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Crocoblock JetSearch jet-search allows Blind SQL Injection.This issue affects JetSearch: from n/a through <= 3.5.10.

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N'}

Thu, 23 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CrocoBlock JetSearch jet-search allows Blind SQL Injection.This issue affects JetSearch: from n/a through <= 3.5.10.
Title WordPress JetSearch plugin <= 3.5.10 - SQL Injection vulnerability
Weaknesses CWE-89
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:08.251Z

Reserved: 2025-06-11T16:07:08.211Z

Link: CVE-2025-49931

cve-icon Vulnrichment

Updated: 2025-10-23T15:19:51.476Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:15:39.227

Modified: 2026-04-27T20:16:18.200

Link: CVE-2025-49931

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T05:45:16Z

Weaknesses