CVE-2025-0369 is a stored cross-site scripting vulnerability identified in the Crocoblock JetEngine plugin for WordPress, affecting all versions up to and including 3.6.2. The vulnerability stems from improper neutralization of input during web page generation, specifically through the 'list_tag' parameter. Because the plugin fails to sufficiently sanitize and escape this input, authenticated users with Contributor-level privileges or higher can inject arbitrary JavaScript code into pages. This malicious code is stored persistently and executed in the context of any user who visits the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability requires authentication but no user interaction to trigger the payload once injected. The CVSS 3.1 score of 6.4 reflects a medium severity, with an attack vector over the network, low attack complexity, and privileges required at the contributor level. The scope is changed because the vulnerability affects the confidentiality and integrity of user data across the site. No patches or official fixes have been linked yet, and no known exploits are reported in the wild. The vulnerability is cataloged under CWE-79, indicating cross-site scripting due to improper input validation and output encoding.

The primary impact of CVE-2025-0369 is the compromise of user confidentiality and integrity on WordPress sites using the JetEngine plugin. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of site visitors, potentially leading to session hijacking, credential theft, unauthorized actions, or defacement. This can erode user trust, damage brand reputation, and lead to data breaches. Since the vulnerability requires authenticated access, the risk is somewhat mitigated by the need for an attacker to have contributor-level permissions, but insider threats or compromised contributor accounts increase risk. The vulnerability does not affect availability directly but can indirectly cause service disruption through exploitation or remediation efforts. Organizations running WordPress sites with JetEngine, especially those with multiple contributors or open registration, face increased risk. The widespread use of WordPress globally means the impact can be significant, particularly for sites handling sensitive user data or e-commerce.

1. Immediately restrict Contributor-level permissions to trusted users only and audit existing contributor accounts for suspicious activity. 2. Implement strict input validation and output escaping for the 'list_tag' parameter in custom code or temporary filters if patching is not yet available. 3. Monitor site logs and user activity for unusual behavior indicative of XSS exploitation attempts. 4. Disable or remove the JetEngine plugin if it is not essential until a patched version is released. 5. Educate content contributors about the risks of injecting untrusted content and enforce content review workflows. 6. Employ Web Application Firewalls (WAFs) with rules targeting stored XSS payloads to block exploitation attempts. 7. Keep WordPress core, themes, and all plugins up to date and subscribe to vendor security advisories for timely patching. 8. Consider implementing Content Security Policy (CSP) headers to reduce the impact of injected scripts. 9. Regularly back up site data to enable recovery in case of compromise. 10. Once a patch is available, apply it promptly and verify remediation through security testing.