Scan free
CRITICALCVE-2025-49931CVSS 9.3

CVE-2025-49931: SQL Injection in Crocoblock JetSearch

Platform

wordpress

Component

jet-search

Fixed in

3.5.11

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2025-49931 describes a Blind SQL Injection vulnerability discovered in Crocoblock JetSearch, a WordPress plugin. This flaw allows attackers to potentially extract sensitive data from the database. The vulnerability impacts versions from 0.0.0 up to and including 3.5.10. A patch has been released in version 3.5.11.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

The SQL Injection vulnerability in JetSearch allows an attacker to bypass security measures and execute arbitrary SQL queries against the underlying database. Because it's a Blind SQL Injection, the attacker doesn't receive direct output from the queries, but can infer information based on the database's response (e.g., timing differences). This could lead to the extraction of user credentials, configuration details, or other sensitive information stored within the database. Successful exploitation could compromise the entire WordPress site and potentially lead to data breaches or complete system takeover. While no direct precedent exists for this specific plugin, Blind SQL Injection vulnerabilities are frequently exploited, and the potential impact is significant.

Exploitation Context

CVE-2025-49931 was publicly disclosed on 2025-10-22. The vulnerability is not currently listed on the CISA KEV catalog. There are no publicly known proof-of-concept exploits available at this time, but the nature of Blind SQL Injection means that development of such exploits is likely. The EPSS score is likely to be medium, given the critical CVSS score and the potential for data exfiltration.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
Reports1 threat report

EPSS

0.03% (9% percentile)

CISA SSVC

Exploitationnone
Automatableyes
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L9.3CRITICALAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityNoneRisk of unauthorized data modificationAvailabilityLowRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
None — no integrity impact. Attacker cannot modify data.
Availability
Low — partial or intermittent denial of service. Attacker can degrade performance.

Affected Software

Componentjet-search
VendorCrocoblock
Affected rangeFixed in
0 – 3.5.103.5.11

Weakness Classification (CWE)

CWE-89

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2025-49931 is to immediately upgrade Crocoblock JetSearch to version 3.5.11 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block suspicious SQL queries targeting the JetSearch endpoints. Specifically, look for patterns indicative of SQL injection attempts, such as unusual character sequences or attempts to inject SQL commands. Additionally, review and restrict database user permissions to limit the potential damage from a successful attack. After upgrading, confirm the fix by attempting a SQL injection payload against the vulnerable endpoint and verifying that it is blocked or returns an error.

How to fix

Update the JetSearch plugin to the latest available version to mitigate the SQL Injection vulnerability. Refer to the plugin documentation or the developer's website for specific upgrade instructions.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-49931 — SQL Injection in Crocoblock JetSearch?

CVE-2025-49931 is a critical SQL Injection vulnerability affecting Crocoblock JetSearch versions 0.0.0 through 3.5.10, allowing attackers to potentially extract data via Blind SQL Injection.

Am I affected by CVE-2025-49931 in Crocoblock JetSearch?

If you are using Crocoblock JetSearch versions 0.0.0 through 3.5.10 on your WordPress site, you are potentially affected by this vulnerability.

How do I fix CVE-2025-49931 in Crocoblock JetSearch?

Upgrade Crocoblock JetSearch to version 3.5.11 or later to remediate the vulnerability. Consider WAF rules as a temporary workaround if immediate upgrade is not possible.

Is CVE-2025-49931 being actively exploited?

While there are no currently known active exploits, the vulnerability's nature makes it likely that exploits will be developed. Proactive patching is recommended.

Where can I find the official Crocoblock advisory for CVE-2025-49931?

Please refer to the Crocoblock website and WordPress plugin repository for the official advisory and update information regarding CVE-2025-49931.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs