Impact
The vulnerability allows unauthenticated users to inject arbitrary JavaScript into pages rendered by the JetEngine plugin in WordPress installations running versions 3.8.10 or earlier; this client‑side Cross‑Site Scripting flaw (CWE‑79) can lead to session hijacking, defacement, or execution of arbitrary code within the context of the site’s users and requires no authentication other than a crafted URL or page visit.
Affected Systems
The issue affects the JetEngine plugin published by Jetimpex Inc. for WordPress, specifically all releases up to and including version 3.8.10; administrators are advised to upgrade to at least version 3.8.10.1 where the flaw has been remediated.
Risk and Exploitability
The exposed client‑side weakness carries a CVSS score of 7.1, indicating high risk, no EPSS data is available, and the flaw is not listed in the CISA KEV catalog. Because the attack vector is unauthenticated and only requires a crafted URL, exploitation chances are high for any publicly accessible WordPress site that has not applied the fix. Attackers can use the XSS vector to steal credentials or spread malware by influencing victim browsers while interacting with the site.
OpenCVE Enrichment