EUVD-2026-37633Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Network-reachable unauthenticated XSS requiring victim click (UI:R); injected script crosses into victim session origin so S:C with low C/I/A impacts typical of reflected/stored XSS.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in JetEngine <= 3.8.10 versions.
AnalysisAI
Unauthenticated cross-site scripting in the JetEngine WordPress plugin versions 3.8.10 and earlier allows remote attackers to inject malicious scripts that execute in the browser of any user who interacts with a crafted link or page. The CVSS 7.1 score reflects the scope change inherent to XSS (attacker-supplied JavaScript runs in the victim's site origin), and no public exploit has been identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a victim with an active browser session to load a JetEngine-rendered page or follow an attacker-crafted link (UI:R), and the target WordPress site must have the JetEngine plugin installed at version 3.8.10 or earlier on a publicly reachable endpoint. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L indicates network-reachable, low-complexity exploitation with no privileges required but mandatory user interaction (clicking a link or visiting a crafted page), and a scope change reflecting that injected script runs in the victim's authenticated browser context. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a URL or comment payload that triggers the JetEngine rendering path with an embedded script tag and sends it via phishing or social media to a logged-in WordPress administrator. When the admin loads the page, the script executes in their session context (scope change per CVSS), allowing the attacker to issue authenticated REST/admin-ajax calls to create a new admin user or upload a malicious plugin. … |
| Remediation | Upgrade JetEngine to a version newer than 3.8.10 as published by Crocoblock - the exact fixed release is not specified in the input data, so consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/jet-engine/vulnerability/wordpress-jetengine-plugin-3-8-10-cross-site-scripting-xss-vulnerability for the confirmed patched version before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all WordPress instances running JetEngine and determine current plugin versions; disable the plugin immediately if it is not critical to operations. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
PHP Object Injection in the JetEngine WordPress plugin (versions through 3.8.9.1) allows authenticated users with the Co
Unauthenticated PHP Object Injection in Crocoblock JetEngine WordPress plugin versions 3.8.10 and earlier allows remote
Unauthenticated SQL injection in the JetEngine WordPress plugin (versions up to and including 3.8.9.1) allows remote att
Unauthenticated SQL injection in the JetEngine WordPress plugin versions prior to 3.8.9.1 allows remote attackers to inj
Unauthenticated SQL injection in the JetEngine WordPress plugin versions 3.8.10.1 and earlier allows remote attackers to
Share
External POC / Exploit Code
Leaving vuln.today