Skip to main content

Jetreviews

2 CVEs product

Monthly

CVE-2026-61975 MEDIUM This Month

JetReviews WordPress plugin by Crocoblock (versions through 3.0.1) exposes embedded sensitive system information to unauthenticated remote attackers, classified under CWE-497. The vulnerability permits retrieval of sensitive data that should remain internal to the application - likely API keys, configuration values, or credentials embedded in plugin output or REST endpoints - without requiring any authentication, user interaction, or elevated privileges. No public exploit code or CISA KEV listing exists at time of analysis, but the zero-friction CVSS vector (AV:N/AC:L/PR:N/UI:N) means any internet-facing WordPress site running this plugin version is passively exposed.

Information Disclosure Jetreviews
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-57354 MEDIUM This Month

Stored Cross-Site Scripting in JetReviews plugin for WordPress (versions <= 3.0.0.1) allows subscriber-level authenticated users to inject malicious scripts into review fields that execute in victims' browsers when the content is viewed. The vulnerability carries a changed scope (S:C), meaning the injected payload breaks out of the plugin's context and can target higher-privileged users such as site administrators. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the low attack complexity and the prevalence of WordPress in production environments make this a credible escalation path to full site compromise.

XSS Jetreviews
NVD
CVSS 3.1
6.5
EPSS
0.2%
EPSS 0% CVSS 5.3
MEDIUM This Month

JetReviews WordPress plugin by Crocoblock (versions through 3.0.1) exposes embedded sensitive system information to unauthenticated remote attackers, classified under CWE-497. The vulnerability permits retrieval of sensitive data that should remain internal to the application - likely API keys, configuration values, or credentials embedded in plugin output or REST endpoints - without requiring any authentication, user interaction, or elevated privileges. No public exploit code or CISA KEV listing exists at time of analysis, but the zero-friction CVSS vector (AV:N/AC:L/PR:N/UI:N) means any internet-facing WordPress site running this plugin version is passively exposed.

Information Disclosure Jetreviews
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored Cross-Site Scripting in JetReviews plugin for WordPress (versions <= 3.0.0.1) allows subscriber-level authenticated users to inject malicious scripts into review fields that execute in victims' browsers when the content is viewed. The vulnerability carries a changed scope (S:C), meaning the injected payload breaks out of the plugin's context and can target higher-privileged users such as site administrators. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the low attack complexity and the prevalence of WordPress in production environments make this a credible escalation path to full site compromise.

XSS Jetreviews
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy