Cross-Site Scripting Vulnerability in JetEngine by NotFound
CVE-2025-26870

6.5MEDIUM

Key Information:

Vendor: Notfound
Status: Jetengine
Vendor: CVE Published:; 15 April 2025

What is CVE-2025-26870?

The JetEngine plugin by NotFound contains a vulnerability that allows for Cross-Site Scripting (XSS) attacks through improper input neutralization during web page generation. This vulnerability can lead to unauthorized script execution in the user's browser, potentially compromising the security of web applications using this plugin. Users are advised to update to a secure version and review their implementations to prevent exploitation.

Affected Version(s)

JetEngine <= 3.6.4.1

References

https://patchstack.com/database/wordpress/plugin/jet-engi...

vdb-entry

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 15, 2025
Vulnerability Reserved
Feb 17, 2025

Credit

stealthcopter (Patchstack Alliance)

JSON