The vulnerability arises from improper neutralization of user‑supplied input that is rendered in the page by the JetTabs plugin. This allows an attacker to inject arbitrary JavaScript into the browser of anyone who visits a page that contains the affected tab content. The injected script can execute in the victim’s context, enabling defacement, cookie theft, session hijacking, or further malware delivery. The weakness is classified as an XSS flaw (CWE‑79).

Any WordPress site that has the JetTabs plugin from Crocoblock installed with a version up to and including 2.2.12 is affected. Versions older than the earliest documented release are also included as part of the affected range, but the list of supported earlier releases is not specified. Sites without the plugin or with newer versions are not impacted.

The CVSS score of 6.5 places the vulnerability in the medium severity band, and the EPSS score of less than 1% indicates a very low probability of exploitation at the time of this analysis. The CVE has not been added to the CISA KEV catalog. The likely attack vector is a DOM‑based XSS that requires an attacker to deliver a malicious link or malicious content within a tab to a victim. Successful exploitation would require the victim’s browser to render the tab content, so the threat is reputational and user‑centric rather than system‑wide