Impact
The vulnerability is an unauthenticated XSS flaw that allows an attacker to inject arbitrary JavaScript into the site’s pages. This can lead to session hijacking, credential theft, defacement, or the execution of malicious payloads within the browser of any visitor. The flaw is rooted in improper input sanitization, as identified by CWE‑79, and grants attackers the ability to compromise confidentiality, integrity, and availability of the affected site’s content.
Affected Systems
The issue affects Jetimpex Inc.’s JetEngine plugin versions up to and including 3.8.9.1. WordPress sites installing or using these vulnerable plugin editions are exposed.
Risk and Exploitability
The CVSS score of 7.1 classifies this as a high‑severity vulnerability. Though an EPSS score is unavailable, the flaw’s design allows exploitation from any external visitor without authentication, implying a high likelihood of targeted attacks. It is not listed in the CISA KEV catalog, but the absence of a need for admin rights and the potential for widespread impact raise the practical risk for vulnerable installations.
OpenCVE Enrichment