CVE-2021-41844 Open Redirect in JetEngine Wordpress Plugin

1. Vulnerability Properties

Title: Open Redirect in JetEngine Wordpress Plugin
CVE ID: CVE-2021-41844
CVSSv3 Base Score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Vendor: Crocoblock
Products: JetEngine
Advisory Release Date: 16-12-2021
Advisory URL:
Credits: Discovery by Bruno Barreirinhas <bb[at]>

2. Vulnerability Summary

Crocoblock JetEngine plugin for Wordpress is vulnerable to Open Redirection via GET/POST request. The form parameter _jet_engine_refer accepts untrusted input that could cause the web application to redirect the request to a URL contained within the untrusted input.

3. Vulnerable Versions

  • < 2.9.1

4. Solution

  • Update to version 2.9.1 or higher

5. Vulnerability Timeline

  • 12/Ago/21  - Bug reported to Crocoblock
  • 13/Ago/21 - Bug verified by vendor
  • 08/Sep/21 - Bug fixed by vendor
  • 16/Dec/21 - Advisory released

6. References


© 2024 INTEGRITY S.A. All rights reserved. | Cookie Policy

Cookie Consent X

Integrity S.A. uses cookies for analytical and more personalized information presentation purposes, based on your browsing habits and profile. For more detailed information, see our Cookie Policy.