CVE-2025-53195

Vulnerability

Overview

CVE-2025-53195 is a Stored Cross-Site Scripting (XSS) vulnerability in the Crocoblock JetEngine plugin for WordPress, affecting versions from n/a through 3.7.0. The root cause is improper neutralization of user-supplied input during web page generation allows an attacker to stored content enables an attacker with contributor-level privileges or higher to inject arbitrary JavaScript or HTML payloads [1].

Exploitation

Details

Exploitation

To exploit this vulnerability, an attacker must have a WordPress user account with at least Contributor role. The attacker can inject malicious script code into a post, page, or custom content type via the plugin manages. When a privileged user (e.g., Administrator) views the injected content, the script executes in their browser session, potentially leading to session hijacking, defacement, or further compromise [1].

Impact

Successful exploitation allows an attacker to perform actions on behalf of the victim user, such as creating new admin accounts, modifying site content, or redirecting visitors to malicious sites. The CVSS v3 base score is 6.5 (Medium), reflecting the need for authenticated access and user interaction [1].

Mitigation

The vendor has released version 3.7.1.1 which fixes the vulnerability. Users are strongly advised to update immediately. For Patchstack users, auto-updates can be enabled for vulnerable plugins. No workaround is available; updating is the only remediation [1].