CVE-2025-68504
Lifecycle Timeline
2Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetSearch jet-search allows DOM-Based XSS.This issue affects JetSearch: from n/a through <= 3.5.16.
Analysis
DOM-based cross-site scripting (XSS) in Crocoblock JetSearch WordPress plugin through version 3.5.16 allows attackers to inject malicious scripts into the search interface that execute in users' browsers. The vulnerability affects the plugin's web page generation when processing search input, enabling attackers to steal session tokens, redirect users, or perform actions on behalf of authenticated users without requiring authentication themselves. No CVSS score was available at analysis time, but the low EPSS score (0.04%, 14th percentile) suggests limited real-world exploitation likelihood despite the XSS vector.
Technical Context
This vulnerability is a DOM-based XSS flaw (CWE-79: Improper Neutralization of Input During Web Page Generation) in the Crocoblock JetSearch plugin, a WordPress search functionality extension. DOM-based XSS occurs when untrusted user input is used to dynamically update the Document Object Model without proper sanitization or encoding, allowing attackers to inject arbitrary JavaScript code. The root cause is insufficient input validation or output encoding when the plugin processes search queries and generates dynamic HTML elements in the DOM. Unlike reflected or stored XSS, DOM-based XSS is entirely client-side and exploited through the plugin's JavaScript code interacting with the page structure.
Affected Products
Crocoblock JetSearch WordPress plugin from version 3.5.16 and earlier. The affected product is specifically identified by the CPE namespace for WordPress plugins (relating to the jet-search plugin). The vulnerability was disclosed by [email protected] and documented in the Patchstack vulnerability database.
Remediation
Update Crocoblock JetSearch to a version newer than 3.5.16 immediately. Check the official Crocoblock plugin repository or the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/jet-search/vulnerability/wordpress-jetsearch-plugin-3-5-16-cross-site-scripting-xss-vulnerability for the latest patched release. WordPress administrators should enable automatic plugin updates if not already configured. As an interim mitigation, review and restrict user input to the search function and consider implementing Content Security Policy (CSP) headers to limit inline script execution, though these are not substitutes for patching.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today