Skip to main content

JetSearch CVE-2026-61977

| EUVDEUVD-2026-43319 MEDIUM
Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497)
2026-07-13 Patchstack
5.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
5.3 MEDIUM

Network-reachable, no privileges needed, low confidentiality impact only; no integrity or availability effect per CWE-497 disclosure class.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 13, 2026 - 10:20 vuln.today

DescriptionCVE.org

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Crocoblock JetSearch jet-search allows Retrieve Embedded Sensitive Data.This issue affects JetSearch: from n/a through <= 3.6.1.2.

AnalysisAI

Unauthenticated sensitive data exposure in Crocoblock JetSearch WordPress plugin (all versions through 3.6.1.2) permits remote attackers to retrieve embedded sensitive system information without any credentials or user interaction. The flaw is classified under CWE-497, indicating the plugin surfaces internal system data through an externally accessible vector. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running JetSearch ≤3.6.1.2
Exploit
Send unauthenticated HTTP request to vulnerable endpoint
Execution
Plugin returns response with embedded sensitive data
Impact
Collect disclosed information for reconnaissance or chained attack

Vulnerability AssessmentAI

Exploitation No special conditions are required beyond the target WordPress site having the JetSearch plugin installed, active, and running a version at or below 3.6.1.2. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS base score of 5.3 (Medium) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N signals a low-complexity, unauthenticated network-accessible flaw, but with only partial confidentiality impact and no integrity or availability consequences. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated remote attacker sends a crafted HTTP request - likely targeting a WordPress AJAX endpoint or REST API route registered by JetSearch - to an internet-facing WordPress site running version 3.6.1.2 or earlier. The plugin processes the request without enforcing access controls and returns a response containing embedded sensitive system information such as internal file paths, configuration values, or similar metadata. …
Remediation Update JetSearch to the version released after 3.6.1.2 via the WordPress plugin dashboard or by downloading directly from the Crocoblock/WordPress plugin repository; the exact patched version number was not specified in the source data and should be verified against the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/jet-search/vulnerability/wordpress-jetsearch-plugin-3-6-1-2-sensitive-data-exposure-vulnerability before applying. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-61977 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy