CVE-2025-53984

2025-07-16 [email protected]
WordPress PHP XSS

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 11:15 nvd
N/A

DescriptionNVD

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetTabs jet-tabs allows Stored XSS.This issue affects JetTabs: from n/a through <= 2.2.9.

AnalysisAI

Stored XSS vulnerability in Crocoblock JetTabs WordPress plugin version 2.2.9 and earlier allows authenticated attackers to inject malicious scripts into web pages, which execute in the browsers of site visitors. The vulnerability stems from improper input sanitization during web page generation, enabling persistent payload storage and site-wide impact. No public exploit code or active exploitation has been confirmed, and the low EPSS score (0.04%) suggests limited real-world exploitation probability despite the persistent nature of stored XSS.

Technical ContextAI

The vulnerability is a classic Stored Cross-Site Scripting (CWE-79) flaw occurring in the Crocoblock JetTabs plugin, a WordPress component for creating tabbed content layouts. The root cause is insufficient input validation and output encoding when processing user-supplied data that becomes part of dynamically generated web pages. Stored XSS vulnerabilities in WordPress plugins are particularly dangerous because malicious payloads persist in the database and affect all site visitors, including administrators, without requiring per-victim delivery. The vulnerability affects the JetTabs product (CPE identifier for WordPress plugins typically follows: cpe:2.4:a:crocoblock:jettabs:*:*:*:*:wordpress:*) through version 2.2.9.

Affected ProductsAI

Crocoblock JetTabs WordPress plugin is affected in all versions from initial release through version 2.2.9 inclusive. The plugin is distributed via the WordPress.org plugin repository. Affected installations running JetTabs 2.2.9 or earlier on WordPress sites are at risk. Detailed vulnerability information and advisory is available at https://patchstack.com/database/Wordpress/Plugin/jet-tabs/vulnerability/wordpress-jettabs-plugin-2-2-9-cross-site-scripting-xss-vulnerability.

RemediationAI

Update the Crocoblock JetTabs plugin to a version newer than 2.2.9 immediately. Vendors typically address reported vulnerabilities in subsequent releases; consult the plugin's changelog or the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/jet-tabs/vulnerability/wordpress-jettabs-plugin-2-2-9-cross-site-scripting-xss-vulnerability to identify the fixed version. As an interim control, restrict JetTabs content editing permissions to trusted administrative users only, limiting the number of accounts capable of injecting stored payloads. Audit existing JetTabs content for suspicious scripts or unfamiliar code, particularly if the plugin has been installed on sites with multiple contributors.

Share

CVE-2025-53984 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy