Description
Insertion of Sensitive Information Into Sent Data vulnerability in Crocoblock JetPopup jet-popup allows Retrieve Embedded Sensitive Data.This issue affects JetPopup: from n/a through <= 2.0.15.
Published: 2025-08-20
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The JetPopup plugin for WordPress is vulnerable to an insertion of sensitive information into data that is sent to users or other systems. This flaw allows the plugin to embed hidden or confidential data in its outputs, leading to exposure of sensitive information. It is classified as CWE‑201, indicating an information exposure due to an unauthorized data path.

Affected Systems

Crocoblock’s JetPopup plugin, all versions released through 2.0.15 inclusive, are affected.

Risk and Exploitability

The CVSS score of 6.5 places this issue in the medium severity range. An EPSS score of below 1% indicates that active exploitation is highly unlikely at present, and the vulnerability is not listed in the CISA KEV catalog. Exposure occurs when the plugin processes content that contains sensitive data; an attacker would need to trigger the plugin’s data handling routines. Based on the description, the likely attack vector is the submission of crafted user content that prompts the plugin to embed sensitive information, or through accessing the plugin’s output channels where the data is transmitted. The vulnerability does not appear to require privileged access beyond normal WordPress user permissions, potentially allowing exploitation by users who can submit content or view plugin output.

Generated by OpenCVE AI on April 30, 2026 at 16:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the JetPopup plugin to version 2.0.16 or later as released by Crocoblock.
  • If an upgrade is not immediately possible, disable the JetPopup functionality that handles sensitive data or temporarily deactivate the plugin until a patch is available.
  • Monitor WordPress logs and plugin outputs for unexpected disclosure of confidential content and enable alerts for abnormal data transmissions.

Generated by OpenCVE AI on April 30, 2026 at 16:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25328 Insertion of Sensitive Information Into Sent Data vulnerability in Crocoblock JetPopup allows Retrieve Embedded Sensitive Data. This issue affects JetPopup: from n/a through 2.0.15.
History

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Insertion of Sensitive Information Into Sent Data vulnerability in Crocoblock JetPopup allows Retrieve Embedded Sensitive Data. This issue affects JetPopup: from n/a through 2.0.15. Insertion of Sensitive Information Into Sent Data vulnerability in Crocoblock JetPopup jet-popup allows Retrieve Embedded Sensitive Data.This issue affects JetPopup: from n/a through <= 2.0.15.
Title WordPress JetPopup <= 2.0.15 - Sensitive Data Exposure Vulnerability WordPress JetPopup plugin <= 2.0.15 - Sensitive Data Exposure vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Thu, 21 Aug 2025 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 20 Aug 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 Aug 2025 08:15:00 +0000

Type Values Removed Values Added
Description Insertion of Sensitive Information Into Sent Data vulnerability in Crocoblock JetPopup allows Retrieve Embedded Sensitive Data. This issue affects JetPopup: from n/a through 2.0.15.
Title WordPress JetPopup <= 2.0.15 - Sensitive Data Exposure Vulnerability
Weaknesses CWE-201
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:51:55.938Z

Reserved: 2025-07-16T08:51:16.734Z

Link: CVE-2025-53993

cve-icon Vulnrichment

Updated: 2025-08-20T15:49:42.570Z

cve-icon NVD

Status : Deferred

Published: 2025-08-20T08:15:44.647

Modified: 2026-04-29T10:16:50.530

Link: CVE-2025-53993

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T16:15:06Z

Weaknesses