CVE-2025-53996

2025-07-16 [email protected]
WordPress PHP XSS

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 11:15 nvd
N/A

DescriptionNVD

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetSearch jet-search allows Stored XSS.This issue affects JetSearch: from n/a through <= 3.5.10.1.

AnalysisAI

Stored cross-site scripting (XSS) in Crocoblock JetSearch WordPress plugin versions 3.5.10.1 and earlier allows attackers to inject malicious scripts that persist in the application and execute in users' browsers when the affected pages are viewed. The vulnerability resides in improper input neutralization during web page generation, enabling attackers with sufficient permissions to store XSS payloads that compromise other users' sessions and data. No public exploit code or active exploitation has been confirmed; however, the low EPSS score (0.04%, 13th percentile) suggests limited real-world attack probability despite the persistent nature of the vulnerability.

Technical ContextAI

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), which is the canonical weakness for cross-site scripting flaws. The JetSearch plugin, a WordPress search functionality component, fails to properly sanitize and escape user-supplied input before rendering it in the DOM, allowing attackers to inject arbitrary HTML and JavaScript. Stored XSS persists in the application database or configuration, meaning the malicious payload executes every time the affected content is retrieved and displayed, creating a sustained attack surface. The vulnerability affects the plugin across all versions from its inception through version 3.5.10.1, suggesting a long-standing sanitization oversight in the codebase.

Affected ProductsAI

Crocoblock JetSearch WordPress plugin versions 3.5.10.1 and earlier are affected. The plugin is distributed through the official WordPress plugin repository. Affected users running any version up to and including 3.5.10.1 should upgrade immediately. Vulnerability details and patch information are available via the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/jet-search/vulnerability/wordpress-jetsearch-plugin-3-5-10-1-cross-site-scripting-xss-vulnerability.

RemediationAI

Upgrade JetSearch plugin to a patched version greater than 3.5.10.1. Users should navigate to the WordPress admin panel, go to Plugins, and update JetSearch to the latest available version (version number to be confirmed from the official plugin repository or vendor advisory). Pending patch availability, administrators can restrict post and page editing permissions to trusted users only, reducing the attack surface by limiting who can inject XSS payloads. Implement WordPress security hardening measures such as enabling object caching, using security plugins that filter XSS payloads, and regularly auditing user permissions. Full remediation details are available at https://patchstack.com/database/Wordpress/Plugin/jet-search/vulnerability/wordpress-jetsearch-plugin-3-5-10-1-cross-site-scripting-xss-vulnerability.

Share

CVE-2025-53996 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy