Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetEngine jet-engine allows Reflected XSS.This issue affects JetEngine: from n/a through <= 3.8.0.
Published: 2026-02-20
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability results from improper neutralization of input during web page generation in the JetEngine plugin, allowing attackers to inject script code into pages that is then executed by users’ browsers. This reflected XSS can lead to session hijacking, cookie theft, defacement, or delivery of malware, depending on the attacker’s goals, and poses a full confidentiality, integrity, and availability risk for site visitors.

Affected Systems

Crocoblock JetEngine plugin versions up to and including 3.8.0 on WordPress installations are affected. Sites that have not upgraded beyond this version are vulnerable.

Risk and Exploitability

With a CVSS score of 7.1 the severity is moderate‑high, and the EPSS score of less than 1% indicates a low probability of exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog. Attackers can likely exploit the flaw by embedding malicious script in parameters that are echoed by the plugin, such as query strings or form inputs, without needing authentication. Because the reflected payload is executed in the context of the target user’s browser, the impact can affect any visitor who loads the vulnerable page.

Generated by OpenCVE AI on April 29, 2026 at 11:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade JetEngine to a version newer than 3.8.0, which includes the fix for the XSS issue.
  • If an upgrade is not immediately possible, remove or disable any widgets or forms that output user‑supplied data without proper sanitization.
  • Implement a stringent Content Security Policy that blocks inline script execution to mitigate the effect of any residual reflected payloads.

Generated by OpenCVE AI on April 29, 2026 at 11:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Crocoblock
Crocoblock jetengine
Wordpress
Wordpress wordpress
Vendors & Products Crocoblock
Crocoblock jetengine
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetEngine jet-engine allows Reflected XSS.This issue affects JetEngine: from n/a through <= 3.8.0.
Title WordPress JetEngine plugin <= 3.8.0 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Crocoblock Jetengine
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:59:35.697Z

Reserved: 2025-12-19T10:16:41.921Z

Link: CVE-2025-68495

cve-icon Vulnrichment

Updated: 2026-02-23T21:46:31.355Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:09.630

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-68495

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T11:15:09Z

Weaknesses