Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetSearch jet-search allows Stored XSS.This issue affects JetSearch: from n/a through <= 3.5.10.1.
Published: 2025-07-16
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored XSS flaw that occurs when input supplied to the JetSearch plugin is not properly neutralized before being rendered on a web page. An attacker can inject malicious JavaScript that is later displayed to users who view the affected pages, potentially allowing credential theft, defacement, or defacement of the site’s content. The weakness is classified as CWE‑79, a common input validation issue.

Affected Systems

Crocoblock JetSearch is affected for all releases up to and including 3.5.10.1. The plugin is commonly used within WordPress installations, so any site that installs or is currently running JetSearch at version 3.5.10.1 or earlier is vulnerable.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity flaw. The EPSS score of less than 1% suggests low historical exploitation likelihood, and the vulnerability is not listed in CISA’s KEV catalog. However, because the flaw can be triggered via a normal web request to a stored value, an attacker who can inject content into the plugin’s input fields could gain the ability to run arbitrary client‑side code in the victim’s browser. The attack vector is likely through the plugin’s web form inputs or management interface, which allows arbitrary text to be stored and rendered on later page loads.

Generated by OpenCVE AI on April 30, 2026 at 09:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update JetSearch to any version newer than 3.5.10.1 to eliminate the stored XSS vulnerability.
  • If an immediate update is not possible, disable all features that allow user‑supplied data to be stored and displayed by the plugin, or otherwise cleanse stored content to strip out script tags and event handler attributes.
  • Implement a Content Security Policy (CSP) for the site to mitigate the impact of any remaining inline scripts or third‑party resources that could be abused by a stored XSS payload.

Generated by OpenCVE AI on April 30, 2026 at 09:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21684 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetSearch allows Stored XSS. This issue affects JetSearch: from n/a through 3.5.10.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetSearch allows Stored XSS. This issue affects JetSearch: from n/a through 3.5.10.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetSearch jet-search allows Stored XSS.This issue affects JetSearch: from n/a through <= 3.5.10.1.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 16 Jul 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00031}

Wed, 16 Jul 2025 10:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetSearch allows Stored XSS. This issue affects JetSearch: from n/a through 3.5.10.1.
Title WordPress JetSearch plugin <= 3.5.10.1 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:27.982Z

Reserved: 2025-07-16T08:51:16.734Z

Link: CVE-2025-53996

cve-icon Vulnrichment

Updated: 2025-07-16T19:51:25.715Z

cve-icon NVD

Status : Deferred

Published: 2025-07-16T11:15:27.630

Modified: 2026-04-23T15:32:40.567

Link: CVE-2025-53996

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T09:45:25Z

Weaknesses