CVE-2025-49931

CRITICAL
2025-10-22 [email protected]
9.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Oct 22, 2025 - 15:15 nvd
CRITICAL 9.3

Tags

WordPress PHP SQLi

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Crocoblock JetSearch jet-search allows Blind SQL Injection.This issue affects JetSearch: from n/a through <= 3.5.10.

Analysis

Blind SQL injection in Crocoblock JetSearch plugin (WordPress) versions up to 3.5.10 allows unauthenticated remote attackers to extract database contents via crafted search queries. The vulnerability carries a critical CVSS 9.3 score due to network-based exploitation requiring no authentication or user interaction, though EPSS exploitation probability remains low at 0.04% (12th percentile), and no public exploit identified at time of analysis. The flaw enables data exfiltration from WordPress databases hosting sites using the vulnerable search plugin.

Technical Context

JetSearch is a WordPress plugin by Crocoblock that provides AJAX-powered search functionality for WordPress sites. This vulnerability stems from improper sanitization of user-supplied input in SQL queries (CWE-89), specifically manifesting as a blind SQL injection attack vector. In blind SQLi attacks, attackers cannot see query results directly but can infer database contents through timing delays or boolean-based conditional responses. The plugin's search parameter processing fails to adequately neutralize special SQL metacharacters, allowing attackers to inject malicious SQL commands that execute in the context of the WordPress database connection. All JetSearch versions through 3.5.10 are confirmed affected based on CPE data, indicating a longstanding input validation weakness in the plugin's search query handling mechanism.

Affected Products

This vulnerability affects Crocoblock JetSearch plugin for WordPress in all versions from initial release through version 3.5.10 inclusive. JetSearch is a premium WordPress plugin providing advanced AJAX search capabilities, typically deployed on e-commerce and content-heavy WordPress sites using the Crocoblock ecosystem. The vulnerability was reported by the Patchstack security research team ([email protected]). Organizations running WordPress installations with JetSearch plugin versions 3.5.10 or earlier should consider themselves affected. Detailed vulnerability information is available in the Patchstack database advisory at https://patchstack.com/database/Wordpress/Plugin/jet-search/vulnerability/wordpress-jetsearch-plugin-3-5-10-sql-injection-vulnerability.

Remediation

Immediately upgrade JetSearch plugin to version 3.5.11 or later, which addresses the SQL injection vulnerability through improved input validation and parameterized query implementation. Access the update through the WordPress plugin dashboard or download directly from Crocoblock's official distribution channels. If immediate patching is not feasible, implement temporary mitigations including disabling the JetSearch plugin until upgrade is possible, restricting search functionality to authenticated users only through WordPress role configuration, and deploying web application firewall (WAF) rules to detect and block SQL injection patterns in search parameters. Database monitoring for suspicious queries containing SQL metacharacters (UNION, SELECT, SLEEP, BENCHMARK) originating from search endpoints can provide detection coverage. Organizations should review WordPress database access logs for the period during which vulnerable versions were deployed to identify potential exploitation attempts. Full vulnerability details and remediation guidance are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/jet-search/vulnerability/wordpress-jetsearch-plugin-3-5-10-sql-injection-vulnerability.

Priority Score

47
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +46
POC: 0

Share

CVE-2025-49931 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy