PHP Remote File Inclusion Vulnerability in CrocoBlock JetReviews Plugin
CVE-2025-49921

7.3HIGH

Key Information:

Vendor: WordPress
Status: Jetreviews
Vendor: CVE Published:; 22 October 2025

What is CVE-2025-49921?

The JetReviews plugin by CrocoBlock is susceptible to a PHP Remote File Inclusion vulnerability due to improper control over filenames used in include and require statements. This flaw allows attackers to execute arbitrary PHP scripts on the server, leading to potential data exposure or even complete compromise of the website. Affected versions range from an unspecified version up to 3.0.0. It is crucial for website administrators to promptly update to the latest version to safeguard against this security risk.

Affected Version(s)

JetReviews <= n/a

References

https://vdp.patchstack.com/database/Wordpress/Plugin/jet-...

vdb-entry

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 22, 2025
Vulnerability Reserved
Jun 11, 2025

Credit

stealthcopter (Patchstack Alliance)

JSON