Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Network-accessible plugin endpoint leaks data with no authentication required; impact limited to partial confidentiality only, no integrity or availability consequence.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Crocoblock JetReviews jet-reviews allows Retrieve Embedded Sensitive Data.This issue affects JetReviews: from n/a through <= 3.0.1.
AnalysisAI
JetReviews WordPress plugin by Crocoblock (versions through 3.0.1) exposes embedded sensitive system information to unauthenticated remote attackers, classified under CWE-497. The vulnerability permits retrieval of sensitive data that should remain internal to the application - likely API keys, configuration values, or credentials embedded in plugin output or REST endpoints - without requiring any authentication, user interaction, or elevated privileges. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions beyond the plugin being installed and active - the CVSS vector AV:N/AC:L/PR:N/UI:N confirms remote unauthenticated exploitation against any WordPress installation running JetReviews version 3.0.1 or earlier with the plugin active. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 5.3 reflects a medium-severity finding with AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - network-reachable, trivially exploitable without credentials, but limited to partial confidentiality impact with no integrity or availability consequence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker discovers a WordPress site running JetReviews ≤ 3.0.1, then sends a crafted HTTP request to the plugin's exposed endpoint - likely a REST API route or AJAX handler - that returns sensitive embedded data such as an API key or credential. No public exploit code has been identified at time of analysis, but the low complexity vector suggests the technique is straightforward once the vulnerable endpoint path is identified, potentially through passive enumeration of WordPress plugin fingerprints. |
| Remediation | Update JetReviews to a version beyond 3.0.1 as soon as it becomes available via the WordPress plugin repository or Crocoblock's distribution channel. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Jetreviews
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43441