Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Network-reachable, no privileges needed, low confidentiality impact only; no integrity or availability effect per CWE-497 disclosure class.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Crocoblock JetSearch jet-search allows Retrieve Embedded Sensitive Data.This issue affects JetSearch: from n/a through <= 3.6.1.2.
AnalysisAI
Unauthenticated sensitive data exposure in Crocoblock JetSearch WordPress plugin (all versions through 3.6.1.2) permits remote attackers to retrieve embedded sensitive system information without any credentials or user interaction. The flaw is classified under CWE-497, indicating the plugin surfaces internal system data through an externally accessible vector. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions are required beyond the target WordPress site having the JetSearch plugin installed, active, and running a version at or below 3.6.1.2. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS base score of 5.3 (Medium) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N signals a low-complexity, unauthenticated network-accessible flaw, but with only partial confidentiality impact and no integrity or availability consequences. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated remote attacker sends a crafted HTTP request - likely targeting a WordPress AJAX endpoint or REST API route registered by JetSearch - to an internet-facing WordPress site running version 3.6.1.2 or earlier. The plugin processes the request without enforcing access controls and returns a response containing embedded sensitive system information such as internal file paths, configuration values, or similar metadata. … |
| Remediation | Update JetSearch to the version released after 3.6.1.2 via the WordPress plugin dashboard or by downloading directly from the Crocoblock/WordPress plugin repository; the exact patched version number was not specified in the source data and should be verified against the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/jet-search/vulnerability/wordpress-jetsearch-plugin-3-6-1-2-sensitive-data-exposure-vulnerability before applying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43319