CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-0369 – Jet Engine <= 3.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via list_tag Parameter
https://notcve.org/view.php?id=CVE-2025-0369
17 Jan 2025 — The JetEngine plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘list_tag’ parameter in all versions up to, and including, 3.6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://crocoblock.com/changelog • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-41844
https://notcve.org/view.php?id=CVE-2021-41844
15 Dec 2021 — Crocoblock JetEngine before 2.9.1 does not properly validate and sanitize form data. Crocoblock JetEngine versiones anteriores a 2.9.1, no comprueba ni sanea correctamente los datos del formulario • https://crocoblock.com/changelog/?plugin=jet-engine • CWE-20: Improper Input Validation •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2021-38607
https://notcve.org/view.php?id=CVE-2021-38607
16 Aug 2021 — Crocoblock JetEngine before 2.6.1 allows XSS by remote authenticated users via a custom form input. Crocoblock JetEngine versiones anteriores a 2.6.1, permite un ataque de tipo XSS por parte de usuarios autenticados remotos por medio de una entrada de formulario personalizada. • https://crocoblock.com/changelog/?plugin=jet-engine • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •