Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jegtheme JNews - Video jnews-video allows Reflected XSS.This issue affects JNews - Video: from n/a through <= 11.0.2.
Published: 2026-01-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Reflected XSS flaw in the WordPress JNews - Video plugin versions up to 11.0.2. An attacker may craft a URL containing malicious script that the plugin does not properly neutralize, causing the browser to execute the script when the victim visits the link. This flaw is an improper neutralization of input before rendering, classified as CWE‑79.

Affected Systems

This issue affects the JNews - Video plugin from jegtheme, specifically any installation of the plugin version 11.0.2 or older. The CVE description indicates a range from the earliest release to 11.0.2, so any site using these versions is potentially vulnerable.

Risk and Exploitability

The CVSS score of 7.1 indicates a high impact vulnerability, while the EPSS score is below 1 %, suggesting a low likelihood of exploitation at present. The vulnerability is not listed in CISA KEV. An attacker can exploit it through a crafted URL without authentication, enabling reflected XSS that can execute arbitrary client‑side code on a victim’s browser.

Generated by OpenCVE AI on April 29, 2026 at 11:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the JNews - Video plugin to 11.0.3 or later where the XSS flaw has been patched.
  • If an upgrade cannot be performed immediately, enforce a strong Content Security Policy that restricts script execution on pages using the plugin.
  • Manually validate and sanitize all input fields handled by the plugin using WordPress sanitization functions to prevent injection.
  • Disable the plugin entirely if the site cannot be updated or patched in a timely manner.

Generated by OpenCVE AI on April 29, 2026 at 11:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 28 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Jnews
Jnews jnews
Wordpress
Wordpress wordpress
Vendors & Products Jnews
Jnews jnews
Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jegtheme JNews - Video jnews-video allows Reflected XSS.This issue affects JNews - Video: from n/a through <= 11.0.2.
Title WordPress JNews - Video plugin <= 11.0.2 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Jnews Jnews
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:08:27.886Z

Reserved: 2025-12-24T14:00:54.031Z

Link: CVE-2025-68906

cve-icon Vulnrichment

Updated: 2026-01-27T20:58:43.676Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:14.487

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-68906

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T12:00:11Z

Weaknesses