{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-68504", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-19T10:16:51.229Z", "datePublished": "2025-12-29T21:14:40.576Z", "dateUpdated": "2026-04-28T16:14:29.082Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://crocoblock.com", "defaultStatus": "unaffected", "packageName": "jet-search", "product": "JetSearch", "vendor": "Crocoblock", "versions": [{"changes": [{"at": "3.5.16.1", "status": "unaffected"}], "lessThanOrEqual": "3.5.16", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Bonds | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:43:53.189Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetSearch jet-search allows DOM-Based XSS.<p>This issue affects JetSearch: from n/a through <= 3.5.16.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetSearch jet-search allows DOM-Based XSS.This issue affects JetSearch: from n/a through <= 3.5.16."}], "impacts": [{"capecId": "CAPEC-588", "descriptions": [{"lang": "en", "value": "DOM-Based XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:29.082Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/jet-search/vulnerability/wordpress-jetsearch-plugin-3-5-16-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress JetSearch plugin <= 3.5.16 - Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-30T15:49:56.980435Z", "id": "CVE-2025-68504", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-30T15:50:12.903Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-68504", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-30T15:49:56.980435Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-30T15:50:03.646Z"}}], "cna": {"title": "WordPress JetSearch plugin <= 3.5.16 - Cross Site Scripting (XSS) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Bonds | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-588", "descriptions": [{"lang": "en", "value": "DOM-Based XSS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Crocoblock", "product": "JetSearch", "versions": [{"status": "affected", "changes": [{"at": "3.5.16.1", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "3.5.16"}], "packageName": "jet-search", "collectionURL": "https://crocoblock.com", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:23:19.142Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/jet-search/vulnerability/wordpress-jetsearch-plugin-3-5-16-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetSearch jet-search allows DOM-Based XSS.This issue affects JetSearch: from n/a through <= 3.5.16.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetSearch jet-search allows DOM-Based XSS.<p>This issue affects JetSearch: from n/a through <= 3.5.16.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:13:56.580Z"}}}, "cveMetadata": {"cveId": "CVE-2025-68504", "state": "PUBLISHED", "dateUpdated": "2026-04-23T14:13:56.580Z", "dateReserved": "2025-12-19T10:16:51.229Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2025-12-29T21:14:40.576Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetSearch jet-search allows DOM-Based XSS.This issue affects JetSearch: from n/a through <= 3.5.16."}], "id": "CVE-2025-68504", "lastModified": "2026-04-23T15:35:55.957", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 3.7, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2025-12-29T22:15:43.163", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/jet-search/vulnerability/wordpress-jetsearch-plugin-3-5-16-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T10:07:38.471475+00:00", "value": {"mitigation_remediation": ["Update JetSearch to a version newer than 3.5.16.", "If an immediate update is not possible, temporarily disable or remove the JetSearch plugin until a patch is applied.", "Configure a web application firewall to block malicious scripts targeting the JetSearch plugin."], "summary": {"action": "Apply Patch", "impact": "Cross\u2011site scripting allowing injection of malicious scripts into the victim\u2019s browser"}, "threat_synthesis": {"affected_systems": "WordPress sites that run the JetSearch plugin version 3.5.16 or earlier are affected. The plugin, released by Crocoblock under the JetSearch name, is vulnerable from its earliest version through 3.5.16. No specific WordPress core or theme versions are indicated as impacted.", "description_and_impact": "The vulnerability is a DOM\u2011based XSS flaw caused by improper neutralization of user input before rendering in a web page. An attacker can inject arbitrary JavaScript into the page, which executes in the context of the victim\u2019s browser. The weakness is identified as CWE\u201179 and can lead to malicious scripts running on the client side.", "risk_and_exploitability": "The CVSS score of 6.5 reflects a moderate severity. The EPSS score of less than 1% indicates a very low probability of exploitation at the present time, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires a victim to visit a maliciously crafted URL or submit input that the plugin fails to sanitize, which is inferred from the description of a DOM\u2011based XSS flaw. Given these factors, the overall risk is considered moderate but with a low expected exploitation rate."}}}}, "created": "2026-01-05T10:23:12.792682+00:00", "updated": "2026-04-28T10:15:28.855541+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}