CVE-2025-53991

2025-07-16 [email protected]
WordPress PHP XSS

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 11:15 nvd
N/A

DescriptionNVD

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetTricks jet-tricks allows Stored XSS.This issue affects JetTricks: from n/a through <= 1.5.4.1.

AnalysisAI

Stored cross-site scripting (XSS) in Crocoblock JetTricks WordPress plugin versions up to 1.5.4.1 allows authenticated attackers to inject malicious scripts that persist in the application and execute in the browsers of other users. The vulnerability stems from improper input sanitization during web page generation, enabling attackers with plugin access to compromise site visitors. No public exploit code or active exploitation has been identified at the time of analysis.

Technical ContextAI

JetTricks is a WordPress plugin providing page-building functionality. The vulnerability is a stored XSS flaw (CWE-79: Improper Neutralization of Input During Web Page Generation) where user-supplied input is not adequately sanitized before being rendered in HTML output. This allows attackers to inject JavaScript payloads that are permanently stored in the application database and executed whenever the affected page is viewed. The attack vector is local to the WordPress admin interface or plugin-specific input fields, making it a privilege-escalation or plugin-abuse scenario rather than a remote unauthenticated attack.

Affected ProductsAI

Crocoblock JetTricks WordPress plugin versions from an unspecified baseline through version 1.5.4.1 are affected. The plugin is distributed via the WordPress Plugin Directory and can be identified by the CPE context of WordPress plugins. Users running any version up to and including 1.5.4.1 should update immediately. Refer to the Patchstack vulnerability database entry (patchstack.com/database/Wordpress/Plugin/jet-tricks) for vendor advisory details and confirmed fix information.

RemediationAI

Update the JetTricks plugin to a version newer than 1.5.4.1; consult the Crocoblock official repository or WordPress Plugin Directory for the latest patched release. If an immediate update is unavailable, restrict plugin access to trusted administrators only and disable the plugin on non-essential sites until a patch is deployed. Review the Patchstack advisory at the provided reference URL for any interim security recommendations. WordPress administrators should verify that any pages or content created with JetTricks while running a vulnerable version have not been tampered with, as stored XSS payloads may persist even after patching.

Share

CVE-2025-53991 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy