CVE-2021-38607 Stored Cross-Site Scripting in JetEngine Wordpress Plugin

1. Vulnerability Properties

Title: Stored Cross-Site Scripting in JetEngine Wordpress Plugin
CVE ID: CVE-2021-38607
CVSSv3 Base Score: 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
Vendor: Crocoblock
Products: JetEngine
Advisory Release Date: 16-12-2021
Advisory URL: https://labs.integrity.pt/advisories/cve-2021-38607
Credits: Discovery by Bruno Barreirinhas <bb[at]integrity.pt>

2. Vulnerability Summary

Crocoblock JetEngine plugin for Wordpress is vulnerable to stored XSS in custom form inputs. The JavaScript payload will be executed when authorized Users or Administrators attempt to update the data submitted using the custom form.

3. Vulnerable Versions

  • < 2.6.1

4. Solution

  • Update to version 2.6.1 or higher

5. Vulnerability Timeline

  • 12/Ago/21  - Bug reported to Crocoblock
  • 13/Ago/21 - Bug verified by vendor
  • 16/Dec/21 - Advisory released

6. References

  • https://crocoblock.com/changelog/?plugin=jet-engine
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-38607


© 2022 Integrity Part of Devoteam. All rights reserved.