Skip to main content

JetReviews CVE-2026-61975

| EUVDEUVD-2026-43441 MEDIUM
Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497)
2026-07-13 Patchstack
5.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
5.3 MEDIUM

Network-accessible plugin endpoint leaks data with no authentication required; impact limited to partial confidentiality only, no integrity or availability consequence.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 13, 2026 - 11:14 vuln.today

DescriptionCVE.org

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Crocoblock JetReviews jet-reviews allows Retrieve Embedded Sensitive Data.This issue affects JetReviews: from n/a through <= 3.0.1.

AnalysisAI

JetReviews WordPress plugin by Crocoblock (versions through 3.0.1) exposes embedded sensitive system information to unauthenticated remote attackers, classified under CWE-497. The vulnerability permits retrieval of sensitive data that should remain internal to the application - likely API keys, configuration values, or credentials embedded in plugin output or REST endpoints - without requiring any authentication, user interaction, or elevated privileges. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site with JetReviews active
Exploit
Send unauthenticated HTTP request to exposed endpoint
Impact
Retrieve embedded sensitive data from response

Vulnerability AssessmentAI

Exploitation No special conditions beyond the plugin being installed and active - the CVSS vector AV:N/AC:L/PR:N/UI:N confirms remote unauthenticated exploitation against any WordPress installation running JetReviews version 3.0.1 or earlier with the plugin active. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 5.3 reflects a medium-severity finding with AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - network-reachable, trivially exploitable without credentials, but limited to partial confidentiality impact with no integrity or availability consequence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker discovers a WordPress site running JetReviews ≤ 3.0.1, then sends a crafted HTTP request to the plugin's exposed endpoint - likely a REST API route or AJAX handler - that returns sensitive embedded data such as an API key or credential. No public exploit code has been identified at time of analysis, but the low complexity vector suggests the technique is straightforward once the vulnerable endpoint path is identified, potentially through passive enumeration of WordPress plugin fingerprints.
Remediation Update JetReviews to a version beyond 3.0.1 as soon as it becomes available via the WordPress plugin repository or Crocoblock's distribution channel. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-61975 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy