Description
Subscriber Cross Site Scripting (XSS) in JetReviews <= 3.0.0.1 versions.
Published: 2026-07-02
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a subscriber Cross Site Scripting flaw in JetReviews plugin versions up to 3.0.0.1. It allows an attacker to inject arbitrary JavaScript into pages viewed by other users, potentially leading to credential theft, defacement, or malicious redirects. The weakness is a classic input validation error, classified as CWE‑79.

Affected Systems

The JetReviews plugin for WordPress, distributed by Crocoblock and Jetimpex Inc., is affected. Versions up to and including 3.0.0.1 are vulnerable; all newer releases are considered fixed.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity for XSS. No EPSS score is available, so the current probability of exploitation is unknown, but the lack of a KEV listing suggests no widespread exploitation has been documented. Attackers can exploit the flaw by crafting a review or comment (subscriber level) containing malicious scripts that execute in the browsers of other users who view the compromised content. The impact is limited to users with sufficient privileges to view the injected content, such as site visitors or authenticated users, but can result in full session hijacking or defacement if the script spreads.

Generated by OpenCVE AI on July 2, 2026 at 15:18 UTC.

Remediation

Vendor Solution

Update the WordPress JetReviews Plugin to the latest available version (at least 3.0.0.2).


OpenCVE Recommended Actions

  • Apply the latest version of JetReviews (3.0.0.2 or newer).
  • If an immediate upgrade is not possible, implement a strict Content Security Policy to reduce the impact of injected scripts.
  • Scrutinize existing review content for malicious scripts and sanitize or delete it, then ensure future inputs are properly escaped or filtered.

Generated by OpenCVE AI on July 2, 2026 at 15:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 02 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Description Subscriber Cross Site Scripting (XSS) in JetReviews <= 3.0.0.1 versions.
Title WordPress JetReviews plugin <= 3.0.0.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-07-02T14:35:43.161Z

Reserved: 2026-06-24T12:45:36.888Z

Link: CVE-2026-57354

cve-icon Vulnrichment

Updated: 2026-07-02T14:35:39.721Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T15:30:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')