CVE-2025-0369

Vulnerability

Overview The JetEngine WordPress plugin, up to version 3.6.2, contains a stored cross-site scripting (XSS) vulnerability in the 'list_tag' parameter. The root cause is insufficient input sanitization and output escaping, allowing malicious input to be stored and later executed in the browser of any user viewing the affected page [1].

Exploitation

Details An authenticated attacker with at least Contributor-level access can exploit this by injecting arbitrary web scripts through the 'list_tag' parameter. No additional privileges are required beyond standard contributor permissions. The injected script executes whenever a user accesses the page where the malicious input is stored, making it a stored XSS attack.

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session cookie theft, page defacement, redirection to malicious sites, or other actions that compromise the integrity and confidentiality of the WordPress site.

Mitigation

The vendor has been notified and a fix is expected in a subsequent release. Users are advised to update the JetEngine plugin to the latest version available and review the changelog for patched versions [2]. As a general security measure, restrict contributor-level access to trusted users only.