Jegtheme
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Jegtheme product.
RSS Feeds for Jegtheme security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Jegtheme products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Jegtheme Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2026 there have been 4 vulnerabilities in Jegtheme with an average score of 7.0 out of ten. Last year, in 2025 Jegtheme had 4 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Jegtheme in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 1.48.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 4 | 7.03 |
| 2025 | 4 | 5.55 |
| 2024 | 13 | 5.98 |
| 2023 | 0 | 0.00 |
| 2022 | 2 | 7.00 |
It may take a day or so for new Jegtheme vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Jegtheme Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2025-68906 | Jan 22, 2026 |
XSS in JNewsVideo 11.0.2 (Reflected)Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jegtheme JNews - Video jnews-video allows Reflected XSS.This issue affects JNews - Video: from n/a through <= 11.0.2. |
Jnews Video
|
| CVE-2025-68905 | Jan 22, 2026 |
JNews-Pay Writer <=11.0.0 PHP LFI via FilenameImproper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jegtheme JNews - Pay Writer jnews-pay-writer allows PHP Local File Inclusion.This issue affects JNews - Pay Writer: from n/a through <= 11.0.0. |
Jnews Pay Writer
|
| CVE-2025-68904 | Jan 22, 2026 |
JNews Frontend Submit Reflected XSS <=11.0.0Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jegtheme JNews - Frontend Submit jnews-frontend-submit allows Reflected XSS.This issue affects JNews - Frontend Submit: from n/a through <= 11.0.0. |
Jnews Frontend Submit
|
| CVE-2025-14275 | Jan 08, 2026 |
Jeg Elementor Kit Stored XSS via Countdown Redirect 3.0.1The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.0.1 due to insufficient input sanitization in the countdown widget's redirect functionality. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary JavaScript that will execute when an administrator or other user views the page containing the malicious countdown element. |
|
| CVE-2025-67591 | Dec 09, 2025 |
CSRF in JNews Paywall<12.0.1 (jegtheme)Cross-Site Request Forgery (CSRF) vulnerability in jegtheme JNews Paywall jnews-paywall allows Cross Site Request Forgery.This issue affects JNews Paywall: from n/a through < 12.0.1. |
Jnews Paywall
|
| CVE-2025-67538 | Dec 09, 2025 |
JNews Gallery Stored XSS (v<12.0.1) via jnews-galleryImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jegtheme JNews Gallery jnews-gallery allows Stored XSS.This issue affects JNews Gallery: from n/a through < 12.0.1. |
Jnews Gallery
|
| CVE-2025-53573 | Nov 06, 2025 |
WordPress Epic Review XSS (reflected) < 1.0.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jegtheme Epic Review epic-review allows Reflected XSS.This issue affects Epic Review: from n/a through <= 1.0.2. |
Epic Review
|
| CVE-2024-13217 | Feb 27, 2025 |
Jeg Elementor Kit WP 2.6.11 SDE via expired_data, build_contentThe Jeg Elementor Kit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.11 via the 'expired_data' and 'build_content' functions. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, scheduled, and draft template data. |
Jeg Elementor Kit
|
| CVE-2024-8899 | Nov 26, 2024 |
Jeg Elementor Kit <=2.6.9 SIE via render_contentThe Jeg Elementor Kit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.9 via the render_content function in class/elements/views/class-tabs-view.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data. |
Jeg Elementor Kit
|
| CVE-2024-10308 | Nov 26, 2024 |
Stored XSS in Jeg Elementor Kit <=2.6.9 Countdown widgetThe Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's JKit - Countdown widget in all versions up to, and including, 2.6.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
Jeg Elementor Kit
|
| CVE-2024-47390 | Oct 05, 2024 |
Jeg Elementor Kit < 2.6.8 Stored XSS VulnerabilityImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jegtheme Jeg Elementor Kit jeg-elementor-kit allows Stored XSS.This issue affects Jeg Elementor Kit: from n/a through <= 2.6.8. |
Jeg Elementor Kit
|
| CVE-2024-6804 | Aug 27, 2024 |
Jeg Elementor Kit WP XSS via SVG uploads 2.6.7The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. |
Jeg Elementor Kit
|
| CVE-2024-4479 | Jun 15, 2024 |
Stored XSS in Jeg Elementor Kit 2.6.5 via sg_* attributesThe Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the sg_general_toggle_tab_enable and sg_accordion_style attributes within the plugin's JKit - Tabs and JKit - Accordion widget, respectively, in all versions up to, and including, 2.6.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
Jeg Elementor Kit
|
| CVE-2024-3819 | May 02, 2024 |
Jeg Elementor Kit <=2.6.4 WP Plugin XSS via JKit Banner widgetThe Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's JKit - Banner widget in all versions up to, and including, 2.6.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
Jeg Elementor Kit
|
| CVE-2024-3161 | May 02, 2024 |
Stored XSS in Jeg Elementor Kit <2.6.4 Countdown WidgetThe Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the countdown widget's attributes in all versions up to, and including, 2.6.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
Jeg Elementor Kit
|
| CVE-2024-0334 | May 01, 2024 |
Jeg Elementor Kit WP Plugin Stored XSS via Link Attribute (2.6.4)The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom attribute of a link in several Elementor widgets in all versions up to, and including, 2.6.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
Jeg Elementor Kit
|
| CVE-2024-32721 | Apr 24, 2024 |
Jeg Elementor Kit (2.6.3) Stored XSS via Improper Input NeutralizationImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jegtheme Jeg Elementor Kit allows Stored XSS.This issue affects Jeg Elementor Kit: from n/a through 2.6.3. |
Jeg Elementor Kit
|
| CVE-2024-3162 | Apr 03, 2024 |
Stored XSS via Testimonial Widget in Jeg Elementor Kit <2.6.3The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Testimonial Widget Attributes in all versions up to, and including, 2.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2024-32721 is likely a duplicate of this issue. |
Jeg Elementor Kit
|
| CVE-2024-1327 | Apr 03, 2024 |
Stored XSS in Jeg Elementor Kit Plugin v<=2.6.3 via Image Box WidgetThe Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's image box widget in all versions up to, and including, 2.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
Jeg Elementor Kit
|
| CVE-2024-1326 | Mar 21, 2024 |
WP Jeg Elementor Kit XSS via HTML Tag attribs v<=2.6.2The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via HTML Tag attributes in all versions up to, and including, 2.6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2024-29101 is likely a duplicate of this issue. |
Jeg Elementor Kit
|
| CVE-2024-29101 | Mar 19, 2024 |
Jeg Elementor Kit XSS Stored XSS in Jeg Elementor Kit <2.6.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jegtheme Jeg Elementor Kit allows Stored XSS.This issue affects Jeg Elementor Kit: from n/a through 2.6.2. |
Jeg Elementor Kit
|
| CVE-2022-3805 | Dec 22, 2022 |
Authorization Bypass in Jeg Elementor Kit v2.5.6 via NonceThe Jeg Elementor Kit plugin for WordPress is vulnerable to authorization bypass in various functions used to update the plugin settings in versions up to, and including, 2.5.6. Unauthenticated users can use an easily available nonce, obtained from pages edited by the plugin, to update the MailChimp API key, global styles, 404 page settings, and enabled elements. |
Jeg Elementor Kit
|
| CVE-2022-3794 | Dec 22, 2022 |
Authorization Bypass in Jeg Elementor Kit <=2.5.6 via AJAX actionsThe Jeg Elementor Kit plugin for WordPress is vulnerable to authorization bypass in various AJAX actions in versions up to, and including, 2.5.6. Authenticated users can use an easily available nonce value to create header templates and make additional changes to the site, as the plugin does not use capability checks for this purpose. |
Jeg Elementor Kit
|