Impact
The JetEngine plugin for WordPress contains an unauthenticated Cross Site Scripting (XSS) flaw that permits an attacker to inject arbitrary JavaScript into pages served by the site. If exploited, the injected code would execute in the context of any user who interacts with those pages, potentially allowing the attacker to steal session cookies, deface content, redirect users, or launch further attacks. This weakness is classified as CWE‑79.
Affected Systems
WordPress installations that load JetEngine versions 3.8.10 or earlier are vulnerable. The vendor responsible is Jetimpex Inc., and the affected product is the JetEngine plugin for WordPress. Any deployment using this plugin in the specified version range is at risk.
Risk and Exploitability
The vulnerability is rated with a CVSS score of 7.1, indicating high severity. EPSS is not available, and the issue does not appear in CISA's KEV catalog, suggesting no confirmed exploitation yet. Because authentication is not required, the flaw could be triggered simply by browsing or by submitting crafted content through JetEngine‑powered forms, making it easily reachable to unauthenticated threat actors.
OpenCVE Enrichment