Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetEngine jet-engine allows Stored XSS.This issue affects JetEngine: from n/a through <= 3.7.1.2.
Published: 2025-08-14
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The JetEngine WordPress plugin contains a stored cross‑site scripting flaw that occurs when user input provided through custom fields or content entries is not properly neutralized during page rendering. The vulnerability is a classic Input Validation weakness identified as CWE‑79, and it allows an attacker to inject malicious scripts that will run in the browsers of any visitor who views the compromised content. Based on the description, it is inferred that an attacker could exfiltrate session cookies, perform phishing, or deface the site by embedding malicious code visible to all site users.

Affected Systems

The flaw impacts the Crocoblock JetEngine WordPress plugin from its earliest releases up through version 3.7.1.2. System administrators who have installed JetEngine 3.7.1.2 or an older release are at risk; newer releases may contain the fix.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% signifies a low probability of current exploitation. The likely attack vector is the plugin’s content editing interface, which typically requires administrative or content‑management privileges to add or edit custom fields. If an attacker gains that ability, they can store malicious script data that will execute for every visitor rendering the affected page. The vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on May 1, 2026 at 06:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade JetEngine to the latest version that addresses the stored XSS issue, such as 3.7.1.3 or later.
  • Restrict editing rights for JetEngine custom fields so that only trusted administrators can modify content.
  • Deploy an additional input sanitization layer or use a reputable security plugin to cleanse custom field data before it is rendered on the front end.

Generated by OpenCVE AI on May 1, 2026 at 06:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24706 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetEngine allows Stored XSS. This issue affects JetEngine: from n/a through 3.7.1.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetEngine allows Stored XSS. This issue affects JetEngine: from n/a through 3.7.1.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetEngine jet-engine allows Stored XSS.This issue affects JetEngine: from n/a through <= 3.7.1.2.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Thu, 14 Aug 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Crocoblock
Crocoblock jetengine
Wordpress
Wordpress wordpress
Vendors & Products Crocoblock
Crocoblock jetengine
Wordpress
Wordpress wordpress

Thu, 14 Aug 2025 10:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetEngine allows Stored XSS. This issue affects JetEngine: from n/a through 3.7.1.2.
Title WordPress JetEngine Plugin plugin <= 3.7.1.2 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Crocoblock Jetengine
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:34.906Z

Reserved: 2025-07-28T10:55:57.299Z

Link: CVE-2025-54688

cve-icon Vulnrichment

Updated: 2025-08-14T18:43:11.648Z

cve-icon NVD

Status : Deferred

Published: 2025-08-14T11:15:48.600

Modified: 2026-04-23T15:32:49.650

Link: CVE-2025-54688

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T06:45:11Z

Weaknesses