CVE-2025-54009

2025-07-16 [email protected]
WordPress PHP XSS

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 11:15 nvd
N/A

DescriptionNVD

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetSmartFilters jet-smart-filters allows Stored XSS.This issue affects JetSmartFilters: from n/a through <= 3.6.8.

AnalysisAI

Stored cross-site scripting (XSS) in Crocoblock JetSmartFilters WordPress plugin through version 3.6.8 allows attackers to inject persistent malicious scripts that execute in the browsers of site administrators and users. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to compromise site integrity and steal sensitive data or session tokens. No public exploit code has been identified at the time of analysis, and the low EPSS score (0.04%, 13th percentile) suggests limited real-world exploitation likelihood despite the high-severity XSS classification.

Technical ContextAI

JetSmartFilters is a WordPress plugin that provides advanced filtering functionality for websites. The vulnerability exists in CWE-79 (Improper Neutralization of Input During Web Page Generation), which occurs when user-supplied input is not properly sanitized or escaped before being rendered in HTML context. The plugin fails to adequately sanitize user inputs during the generation of web pages, allowing attackers to inject arbitrary HTML and JavaScript code. This code persists in the application's data store and executes whenever the affected page is accessed by authenticated users or administrators. The vulnerability affects all versions from the plugin's initial release through version 3.6.8.

Affected ProductsAI

Crocoblock JetSmartFilters WordPress plugin versions from initial release through 3.6.8 inclusive. The plugin is distributed via the WordPress.org plugin repository (CPE identifier: wordpress:wordpress_plugins:jet-smart-filters). All installations running version 3.6.8 or earlier are affected. The vulnerability advisory and additional technical details are available at https://patchstack.com/database/Wordpress/Plugin/jet-smart-filters/vulnerability/wordpress-jetsmartfilters-plugin-3-6-8-cross-site-scripting-xss-vulnerability.

RemediationAI

Update JetSmartFilters to a patched version beyond 3.6.8 immediately through the WordPress plugin management interface or directly via WordPress.org. Administrators should verify that WordPress is configured with automatic security updates enabled for the plugin. As a temporary mitigation pending patching, restrict plugin administrative access to trusted users only and implement content security policy (CSP) headers to mitigate potential XSS payload execution. Monitor user activity and audit logs for signs of malicious input injection. Consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/jet-smart-filters/vulnerability/wordpress-jetsmartfilters-plugin-3-6-8-cross-site-scripting-xss-vulnerability for version-specific guidance.

Share

CVE-2025-54009 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy