Platform
wordpress
Component
jet-search
Fixed in
3.5.11
CVE-2025-49931 describes a Blind SQL Injection vulnerability discovered in Crocoblock JetSearch, a WordPress plugin. This flaw allows attackers to potentially extract sensitive data from the database. The vulnerability impacts versions from 0.0.0 up to and including 3.5.10. A patch has been released in version 3.5.11.
The SQL Injection vulnerability in JetSearch allows an attacker to bypass security measures and execute arbitrary SQL queries against the underlying database. Because it's a Blind SQL Injection, the attacker doesn't receive direct output from the queries, but can infer information based on the database's response (e.g., timing differences). This could lead to the extraction of user credentials, configuration details, or other sensitive information stored within the database. Successful exploitation could compromise the entire WordPress site and potentially lead to data breaches or complete system takeover. While no direct precedent exists for this specific plugin, Blind SQL Injection vulnerabilities are frequently exploited, and the potential impact is significant.
CVE-2025-49931 was publicly disclosed on 2025-10-22. The vulnerability is not currently listed on the CISA KEV catalog. There are no publicly known proof-of-concept exploits available at this time, but the nature of Blind SQL Injection means that development of such exploits is likely. The EPSS score is likely to be medium, given the critical CVSS score and the potential for data exfiltration.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-49931 is to immediately upgrade Crocoblock JetSearch to version 3.5.11 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block suspicious SQL queries targeting the JetSearch endpoints. Specifically, look for patterns indicative of SQL injection attempts, such as unusual character sequences or attempts to inject SQL commands. Additionally, review and restrict database user permissions to limit the potential damage from a successful attack. After upgrading, confirm the fix by attempting a SQL injection payload against the vulnerable endpoint and verifying that it is blocked or returns an error.
Update the JetSearch plugin to the latest available version to mitigate the SQL Injection vulnerability. Refer to the plugin documentation or the developer's website for specific upgrade instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-49931 is a critical SQL Injection vulnerability affecting Crocoblock JetSearch versions 0.0.0 through 3.5.10, allowing attackers to potentially extract data via Blind SQL Injection.
If you are using Crocoblock JetSearch versions 0.0.0 through 3.5.10 on your WordPress site, you are potentially affected by this vulnerability.
Upgrade Crocoblock JetSearch to version 3.5.11 or later to remediate the vulnerability. Consider WAF rules as a temporary workaround if immediate upgrade is not possible.
While there are no currently known active exploits, the vulnerability's nature makes it likely that exploits will be developed. Proactive patching is recommended.
Please refer to the Crocoblock website and WordPress plugin repository for the official advisory and update information regarding CVE-2025-49931.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.