CVE-2025-68499
Lifecycle Timeline
2Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetTabs jet-tabs allows DOM-Based XSS.This issue affects JetTabs: from n/a through <= 2.2.12.
Analysis
DOM-based cross-site scripting (XSS) in Crocoblock JetTabs WordPress plugin versions up to 2.2.12 allows attackers to inject malicious scripts that execute in users' browsers when viewing affected pages. The vulnerability stems from improper input neutralization during web page generation, enabling stored or reflected XSS attacks without requiring authentication. With an EPSS score of 0.04% (14th percentile), exploitation likelihood is very low despite the publicly documented vulnerability.
Technical Context
The vulnerability is a DOM-based XSS flaw (CWE-79: Improper Neutralization of Input During Web Page Generation) in the JetTabs plugin, a WordPress component for creating tabbed content interfaces. DOM-based XSS occurs when user-controlled input is processed by client-side JavaScript and inserted into the DOM without proper sanitization or encoding, allowing attackers to execute arbitrary JavaScript in the context of the affected website. The vulnerability affects the jet-tabs plugin (WordPress plugin namespace) across all versions from release through 2.2.12, indicating the flaw has existed in the codebase for an extended period without remediation.
Affected Products
Crocoblock JetTabs plugin for WordPress (WordPress plugin identifier: jet-tabs) is affected in all versions from initial release through version 2.2.12 inclusive. The vulnerability documentation and advisory are available at https://patchstack.com/database/Wordpress/Plugin/jet-tabs/vulnerability/wordpress-jettabs-plugin-2-2-12-cross-site-scripting-xss-vulnerability?_s_id=cve via Patchstack's vulnerability database.
Remediation
Users should upgrade the JetTabs plugin to a version newer than 2.2.12 immediately; the vendor advisory at Patchstack should be consulted for the specific patched version number and upgrade instructions. In the interim, website administrators should restrict JetTabs functionality to trusted content sources only and avoid allowing user-generated content in tabbed sections. WordPress security plugins with input filtering capabilities can provide limited mitigation by sanitizing form submissions before they reach the plugin. Website administrators should also audit any existing user-submitted data that may have been processed by vulnerable versions and remove any suspicious content.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today