Platform
wordpress
Component
jet-search
Opgelost in
3.5.11
CVE-2025-49931 describes a Blind SQL Injection vulnerability discovered in Crocoblock JetSearch, a WordPress plugin. This flaw allows attackers to potentially extract sensitive data from the database. The vulnerability impacts versions from 0.0.0 up to and including 3.5.10. A patch has been released in version 3.5.11.
The SQL Injection vulnerability in JetSearch allows an attacker to bypass security measures and execute arbitrary SQL queries against the underlying database. Because it's a Blind SQL Injection, the attacker doesn't receive direct output from the queries, but can infer information based on the database's response (e.g., timing differences). This could lead to the extraction of user credentials, configuration details, or other sensitive information stored within the database. Successful exploitation could compromise the entire WordPress site and potentially lead to data breaches or complete system takeover. While no direct precedent exists for this specific plugin, Blind SQL Injection vulnerabilities are frequently exploited, and the potential impact is significant.
CVE-2025-49931 was publicly disclosed on 2025-10-22. The vulnerability is not currently listed on the CISA KEV catalog. There are no publicly known proof-of-concept exploits available at this time, but the nature of Blind SQL Injection means that development of such exploits is likely. The EPSS score is likely to be medium, given the critical CVSS score and the potential for data exfiltration.
WordPress websites utilizing Crocoblock JetSearch, particularly those with sensitive data stored in the database, are at risk. Shared hosting environments where multiple websites share the same database are especially vulnerable, as a compromise of one site could potentially expose data from others.
• wordpress / composer / npm:
grep -r "SELECT .* FROM" /var/www/html/wp-content/plugins/jet-search/• generic web:
curl -I 'https://your-wordpress-site.com/jet-search/?q='; # Check for unusual headers or error messages• wordpress / composer / npm:
wp plugin list --status=active | grep jet-search• wordpress / composer / npm:
wp plugin update jet-searchdisclosure
Exploit Status
EPSS
0.03% (9% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-49931 is to immediately upgrade Crocoblock JetSearch to version 3.5.11 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block suspicious SQL queries targeting the JetSearch endpoints. Specifically, look for patterns indicative of SQL injection attempts, such as unusual character sequences or attempts to inject SQL commands. Additionally, review and restrict database user permissions to limit the potential damage from a successful attack. After upgrading, confirm the fix by attempting a SQL injection payload against the vulnerable endpoint and verifying that it is blocked or returns an error.
Actualice el plugin JetSearch a la última versión disponible para mitigar la vulnerabilidad de inyección SQL. Consulte la documentación del plugin o el sitio web del desarrollador para obtener instrucciones específicas de actualización.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-49931 is a critical SQL Injection vulnerability affecting Crocoblock JetSearch versions 0.0.0 through 3.5.10, allowing attackers to potentially extract data via Blind SQL Injection.
If you are using Crocoblock JetSearch versions 0.0.0 through 3.5.10 on your WordPress site, you are potentially affected by this vulnerability.
Upgrade Crocoblock JetSearch to version 3.5.11 or later to remediate the vulnerability. Consider WAF rules as a temporary workaround if immediate upgrade is not possible.
While there are no currently known active exploits, the vulnerability's nature makes it likely that exploits will be developed. Proactive patching is recommended.
Please refer to the Crocoblock website and WordPress plugin repository for the official advisory and update information regarding CVE-2025-49931.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.