CVE-2021-41844 Open Redirect in JetEngine Wordpress Plugin

1. Vulnerability Properties

Title: Open Redirect in JetEngine Wordpress Plugin
CVE ID: CVE-2021-41844
CVSSv3 Base Score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Vendor: Crocoblock
Products: JetEngine
Advisory Release Date: 16-12-2021
Advisory URL: https://labs.integrity.pt/advisories/cve-2021-41844
Credits: Discovery by Bruno Barreirinhas <bb[at]integrity.pt>

2. Vulnerability Summary

Crocoblock JetEngine plugin for Wordpress is vulnerable to Open Redirection via GET/POST request. The form parameter _jet_engine_refer accepts untrusted input that could cause the web application to redirect the request to a URL contained within the untrusted input.

3. Vulnerable Versions

  • < 2.9.1

4. Solution

  • Update to version 2.9.1 or higher

5. Vulnerability Timeline

  • 12/Ago/21  - Bug reported to Crocoblock
  • 13/Ago/21 - Bug verified by vendor
  • 08/Sep/21 - Bug fixed by vendor
  • 16/Dec/21 - Advisory released

6. References

  • https://crocoblock.com/changelog/?plugin=jet-engine
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41844


© 2022 Integrity Part of Devoteam. All rights reserved.