Jetreviews
Monthly
JetReviews WordPress plugin by Crocoblock (versions through 3.0.1) exposes embedded sensitive system information to unauthenticated remote attackers, classified under CWE-497. The vulnerability permits retrieval of sensitive data that should remain internal to the application - likely API keys, configuration values, or credentials embedded in plugin output or REST endpoints - without requiring any authentication, user interaction, or elevated privileges. No public exploit code or CISA KEV listing exists at time of analysis, but the zero-friction CVSS vector (AV:N/AC:L/PR:N/UI:N) means any internet-facing WordPress site running this plugin version is passively exposed.
Stored Cross-Site Scripting in JetReviews plugin for WordPress (versions <= 3.0.0.1) allows subscriber-level authenticated users to inject malicious scripts into review fields that execute in victims' browsers when the content is viewed. The vulnerability carries a changed scope (S:C), meaning the injected payload breaks out of the plugin's context and can target higher-privileged users such as site administrators. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the low attack complexity and the prevalence of WordPress in production environments make this a credible escalation path to full site compromise.
JetReviews WordPress plugin by Crocoblock (versions through 3.0.1) exposes embedded sensitive system information to unauthenticated remote attackers, classified under CWE-497. The vulnerability permits retrieval of sensitive data that should remain internal to the application - likely API keys, configuration values, or credentials embedded in plugin output or REST endpoints - without requiring any authentication, user interaction, or elevated privileges. No public exploit code or CISA KEV listing exists at time of analysis, but the zero-friction CVSS vector (AV:N/AC:L/PR:N/UI:N) means any internet-facing WordPress site running this plugin version is passively exposed.
Stored Cross-Site Scripting in JetReviews plugin for WordPress (versions <= 3.0.0.1) allows subscriber-level authenticated users to inject malicious scripts into review fields that execute in victims' browsers when the content is viewed. The vulnerability carries a changed scope (S:C), meaning the injected payload breaks out of the plugin's context and can target higher-privileged users such as site administrators. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the low attack complexity and the prevalence of WordPress in production environments make this a credible escalation path to full site compromise.