Skip to main content

JetReviews CVE-2026-57354

| EUVDEUVD-2026-41353 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-02 Patchstack GHSA-wvg9-j5ff-4m6w
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
5.4 MEDIUM

Subscriber access is required (PR:L), victim must render the page (UI:R), and scope changes to the browser/admin context (S:C); no availability impact is typical for stored XSS.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 12:35 vuln.today

DescriptionCVE.org

Subscriber Cross Site Scripting (XSS) in JetReviews <= 3.0.0.1 versions.

AnalysisAI

Stored Cross-Site Scripting in JetReviews plugin for WordPress (versions <= 3.0.0.1) allows subscriber-level authenticated users to inject malicious scripts into review fields that execute in victims' browsers when the content is viewed. The vulnerability carries a changed scope (S:C), meaning the injected payload breaks out of the plugin's context and can target higher-privileged users such as site administrators. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register subscriber account on target site
Delivery
Submit crafted XSS payload in JetReviews review field
Exploit
Admin views review content in browser
Execution
Injected script executes in admin session
Impact
Exfiltrate nonce or create rogue admin account

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a subscriber-level (or higher) WordPress account on the target site, meaning open user registration must be enabled or the attacker must have obtained credentials by other means. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 6.5 (Medium) is driven by PR:L (requires subscriber account), UI:R (victim must view the page), and S:C (scope changes). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free subscriber account on a WordPress site running JetReviews <= 3.0.0.1 and submits a review containing a crafted JavaScript payload - for example, a script that silently creates a new administrator account or exfiltrates the logged-in user's authentication cookies. When a site administrator visits the reviews section to moderate content, the stored script executes in their browser session, granting the attacker admin-level access to the WordPress installation. …
Remediation Update JetReviews to a version above 3.0.0.1. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57354 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy