Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetEngine jet-engine allows Reflected XSS.This issue affects JetEngine: from n/a through <= 3.7.7.
Published: 2026-01-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting that allows an attacker to execute arbitrary client‑side code in the victim’s browser
Action: Apply Patch
AI Analysis

Impact

The JetEngine plugin for WordPress contains an improper input neutralization flaw that permits reflected XSS. An attacker can inject malicious JavaScript that is executed within the context of the victim’s browser when the user interacts with certain plugin pages. This may lead to defacement, credential theft, or session hijacking depending on the exploitability of the injected script.

Affected Systems

Crocoblock’s JetEngine WordPress plugin, any installation running version 3.7.7 or earlier is vulnerable.

Risk and Exploitability

The CVSS score of 7.1 marks this as a high‑severity vulnerability. The EPSS score of <1 % indicates a low likelihood of widespread exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the attack vector is a crafted HTTP request that results in reflected script execution when a user loads the affected interface; no special privileges are required.

Generated by OpenCVE AI on April 28, 2026 at 18:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade JetEngine to the latest version available from Crocoblock, which resolves the XSS flaw (any release newer than 3.7.7).
  • If an upgrade cannot be performed immediately, temporarily disable or remove the JetEngine plugin to eliminate the attack surface until a patch is available.
  • Deploy a web application firewall or similar input validation layer to block or sanitize malicious script payloads before they are reflected back to the user.

Generated by OpenCVE AI on April 28, 2026 at 18:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 28 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Crocoblock
Crocoblock jetengine
Wordpress
Wordpress wordpress
Vendors & Products Crocoblock
Crocoblock jetengine
Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetEngine jet-engine allows Reflected XSS.This issue affects JetEngine: from n/a through <= 3.7.7.
Title WordPress JetEngine plugin <= 3.7.7 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Crocoblock Jetengine
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:26:28.518Z

Reserved: 2025-12-15T09:59:49.436Z

Link: CVE-2025-67923

cve-icon Vulnrichment

Updated: 2026-01-28T19:12:06.093Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:02.460

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-67923

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T18:15:37Z

Weaknesses