CVE-2021-38607 Stored Cross-Site Scripting in JetEngine Wordpress Plugin

1. Vulnerability Properties

Title: Stored Cross-Site Scripting in JetEngine Wordpress Plugin
CVE ID: CVE-2021-38607
CVSSv3 Base Score: 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
Vendor: Crocoblock
Products: JetEngine
Advisory Release Date: 16-12-2021
Advisory URL: https://labs.integrity.pt/advisories/cve-2021-38607
Credits: Discovery by Bruno Barreirinhas <bb[at]integrity.pt>

2. Vulnerability Summary

Crocoblock JetEngine plugin for Wordpress is vulnerable to stored XSS in custom form inputs. The JavaScript payload will be executed when authorized Users or Administrators attempt to update the data submitted using the custom form.

3. Vulnerable Versions

  • < 2.6.1

4. Solution

  • Update to version 2.6.1 or higher

5. Vulnerability Timeline

  • 12/Ago/21  - Bug reported to Crocoblock
  • 13/Ago/21 - Bug verified by vendor
  • 16/Dec/21 - Advisory released

6. References

  • https://crocoblock.com/changelog/?plugin=jet-engine
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-38607

Latest Advisories

Latest Articles

© 2024 INTEGRITY S.A. All rights reserved. | Cookie Policy

Cookie Consent X

Integrity S.A. uses cookies for analytical and more personalized information presentation purposes, based on your browsing habits and profile. For more detailed information, see our Cookie Policy.