CVE-2025-54688: 
WordPress vulnerability analysis and mitigation

The JetEngine plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability (CVE-2025-54688) discovered by researcher stealthcopter and disclosed on July 30, 2025. This vulnerability affects versions up to and including 3.7.1.2. The issue stems from insufficient input sanitization and output escaping in the plugin (Rapid7, Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium severity) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The attack vector is network-based with low attack complexity, requires low privileges and user interaction, has a changed scope, and can impact confidentiality, integrity, and availability at a low level (AttackerKB).

When exploited, this vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the affected page, potentially leading to unauthorized data access, session hijacking, or other malicious activities (Rapid7).

The vulnerability has been patched in version 3.7.2 of the JetEngine plugin. Website administrators are advised to update to this version or later to remediate the security issue. The patch priority is considered low, but updating is recommended to prevent potential exploitation (Patchstack).