What is CVE-2025-0369?

The JetEngine plugin for WordPress has a medium severity Stored Cross-Site Scripting vulnerability affecting versions up to 3.6.2. Organizations should address this vulnerability to prevent unauthorized script execution.

What is the severity of CVE-2025-0369?

CVE-2025-0369 has a severity rating of MEDIUM with a CVSS base score of 6.4.

CVE-2025-0369 | Medium Vulnerability in JetEngine Plugin for WordPress

The JetEngine plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘list_tag’ parameter in all versions up to, and including, 3.6.2 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

With a CVSS score of 6.4, this vulnerability is classified as medium severity, indicating that it poses a moderate risk to organizations. The risk to organizations includes potential unauthorized script execution, which could lead to further compromises within the affected environment.

As of now, there is no known public exploit for this vulnerability, but organizations should remain vigilant. The urgency for defenders is moderate; they should schedule remediation in their patch cycles to mitigate the risk associated with this vulnerability.

Organizations using the JetEngine plugin should prioritize patching to prevent potential exploitation of this vulnerability. Regular security assessments can help identify and address similar vulnerabilities in the future.

Vulnerability Details

The vulnerability in question is categorized under CWE-79, which indicates a failure to properly sanitize user input leading to stored cross-site scripting. The CVSS vector string for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N, reflecting its attack vector as network-based, with low attack complexity and low privileges required for exploitation.

Technical Analysis

The root cause of this vulnerability is inadequate input sanitization and output escaping in the JetEngine plugin. Attackers may execute a stored cross-site scripting attack by injecting malicious scripts through the 'list_tag' parameter. The attack complexity is low, requiring minimal effort to exploit, as attackers only need Contributor-level access to perform the injection.

The attack vector is network-based, meaning that the attacker can exploit this vulnerability remotely over the internet. There is no user interaction required for the exploitation to succeed, which increases the risk of potential exploitation.

Risk & Impact Analysis

Risk to organizations includes unauthorized access to sensitive information, as well as the potential for attackers to leverage the injected scripts for further attacks. The blast radius can be substantial, especially in environments where multiple users access the affected pages. The urgency assessment indicates that organizations should schedule remediation given the vulnerability's CVSS score and its potential impact.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

All versions of the JetEngine plugin for WordPress prior to version 3.6.2 are affected by this vulnerability. Organizations should ensure they are using the latest version to mitigate this risk.

Mitigation & Remediation

Organizations should prioritize patching the JetEngine plugin. It is crucial to upgrade to the latest version to mitigate the risks associated with this vulnerability. If immediate patching is not feasible, organizations may consider implementing input validation and output encoding as temporary workarounds. Regular security assessments are recommended to identify such vulnerabilities proactively.

Detection Guidance

Security teams should monitor logs for unusual script execution patterns and validate user inputs to detect potential exploitation attempts. Behavioral anomalies in user interactions with the affected plugin may indicate attempted exploitation.

AppSecure Threat Intelligence Insight

The JetEngine vulnerability highlights the importance of input sanitization in web applications. Security teams should enhance their validation processes to avoid similar issues. For organizations leveraging WordPress, this incident serves as a reminder of the potential risks arising from third-party plugins. Engaging in regular security assessments, such as application security assessments and penetration testing services will help identify vulnerabilities before they can be exploited.

For further insights into safeguarding against web vulnerabilities, organizations can refer to vulnerability management programs and engage in proactive security measures.

Lastly, organizations should keep abreast of emerging threats and trends in web application security to ensure they are not left vulnerable to exploitation.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2025-0369: Medium Vulnerability in JetEngine Plugin for WordPress