Impact
The vulnerability is a subscriber Cross Site Scripting flaw in JetReviews plugin versions up to 3.0.0.1. It allows an attacker to inject arbitrary JavaScript into pages viewed by other users, potentially leading to credential theft, defacement, or malicious redirects. The weakness is a classic input validation error, classified as CWE‑79.
Affected Systems
The JetReviews plugin for WordPress, distributed by Crocoblock and Jetimpex Inc., is affected. Versions up to and including 3.0.0.1 are vulnerable; all newer releases are considered fixed.
Risk and Exploitability
The CVSS score of 6.5 indicates a moderate severity for XSS. No EPSS score is available, so the current probability of exploitation is unknown, but the lack of a KEV listing suggests no widespread exploitation has been documented. Attackers can exploit the flaw by crafting a review or comment (subscriber level) containing malicious scripts that execute in the browsers of other users who view the compromised content. The impact is limited to users with sufficient privileges to view the injected content, such as site visitors or authenticated users, but can result in full session hijacking or defacement if the script spreads.
OpenCVE Enrichment