Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetSearch jet-search allows DOM-Based XSS.This issue affects JetSearch: from n/a through <= 3.5.16.
Published: 2025-12-29
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑site scripting allowing injection of malicious scripts into the victim’s browser
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a DOM‑based XSS flaw caused by improper neutralization of user input before rendering in a web page. An attacker can inject arbitrary JavaScript into the page, which executes in the context of the victim’s browser. The weakness is identified as CWE‑79 and can lead to malicious scripts running on the client side.

Affected Systems

WordPress sites that run the JetSearch plugin version 3.5.16 or earlier are affected. The plugin, released by Crocoblock under the JetSearch name, is vulnerable from its earliest version through 3.5.16. No specific WordPress core or theme versions are indicated as impacted.

Risk and Exploitability

The CVSS score of 6.5 reflects a moderate severity. The EPSS score of less than 1% indicates a very low probability of exploitation at the present time, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires a victim to visit a maliciously crafted URL or submit input that the plugin fails to sanitize, which is inferred from the description of a DOM‑based XSS flaw. Given these factors, the overall risk is considered moderate but with a low expected exploitation rate.

Generated by OpenCVE AI on April 28, 2026 at 10:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update JetSearch to a version newer than 3.5.16.
  • If an immediate update is not possible, temporarily disable or remove the JetSearch plugin until a patch is applied.
  • Configure a web application firewall to block malicious scripts targeting the JetSearch plugin.

Generated by OpenCVE AI on April 28, 2026 at 10:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetSearch allows DOM-Based XSS.This issue affects JetSearch: from n/a through 3.5.16. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetSearch jet-search allows DOM-Based XSS.This issue affects JetSearch: from n/a through <= 3.5.16.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 30 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 29 Dec 2025 21:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetSearch allows DOM-Based XSS.This issue affects JetSearch: from n/a through 3.5.16.
Title WordPress JetSearch plugin <= 3.5.16 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:29.082Z

Reserved: 2025-12-19T10:16:51.229Z

Link: CVE-2025-68504

cve-icon Vulnrichment

Updated: 2025-12-30T15:50:03.646Z

cve-icon NVD

Status : Deferred

Published: 2025-12-29T22:15:43.163

Modified: 2026-04-23T15:35:55.957

Link: CVE-2025-68504

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T10:15:28Z

Weaknesses