CVE-2025-54749
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetProductGallery jet-woo-product-gallery allows Stored XSS.This issue affects JetProductGallery: from n/a through <= 2.2.0.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS vulnerability in JetProductGallery WordPress plugin (<=2.2.0.2) allows attackers with contributor-level access to inject malicious scripts.
Vulnerability
Type
The vulnerability is a stored cross-site scripting (XSS) in the JetProductGallery plugin for WordPress, caused by improper neutralization of input during web page generation [1]. It affects all versions from n/a through 2.2.0.2.
Exploitation
Exploitation requires a privileged user, such as a contributor, to inject a malicious script via the plugin's input fields [1]. No user interaction is required from victims; the script executes automatically when visitors access the affected page.
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the browsers of visitors, enabling actions like redirects, data theft, or injecting advertisements [1].
Mitigation
Users should update to version 2.2.0.3 or later to resolve the issue. Patchstack users can enable auto-update for vulnerable plugins [1]. Although the vulnerability is rated medium severity (CVSS 6.5), it is known to be used in mass-exploit campaigns.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=2.2.0.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.