CVE-2025-0371 - Vulnerability Details

- Jet Elements <= 2.7.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets

Description

The JetElements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including, 2.7.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: 2025-01-21

Score: 6.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The JetElements plugin for WordPress contains a stored cross‑site scripting flaw that affects several widgets. The vulnerability allows an attacker with contributor‑level or higher permissions to insert arbitrary JavaScript into user‑supplied widget attributes. When an affected user visits the page where the widget is displayed, the malicious script executes in the victim’s browser and can perform any actions permitted by the script context.

Affected Systems

Crocoblock’s JetElements WordPress plugin is vulnerable in all releases up to and including version 2.7.2.1. Any installation that uses the affected widgets on a WordPress site is at risk. Versions newer than 2.7.2.1 have been patched.

Risk and Exploitability

The CVSS score of 6.4 indicates a medium‑severity risk, while an EPSS score below 1 % signifies a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Because the flaw requires authenticated contributor‑level access, the risk is mitigated to the extent that such roles are restricted or inaccessible to potential attackers. Exploitation hinges on the attacker being able to input data into the vulnerable widget attributes, which the code then fails to sanitize before rendering.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Crocoblock

JetElements

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.7.2.1

Configuration 1 [-]

cpe:2.3:a:crocoblock:jetelements:*:*:*:*:*:wordpress:*:*

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade JetElements to a version newer than 2.7.2.1, which removes the unsanitized widget handling.
If an upgrade is not possible immediately, delete or disable the vulnerable widgets on all pages to prevent stored scripts from being served.
Revoke contributor or higher permissions for users until the plugin is updated or the widgets are removed.

Generated by OpenCVE AI on April 22, 2026 at 04:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-1633	The JetElements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including, 2.7.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0008.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://crocoblock.com/changelog/
https://www.wordfence.com/threat-intel/vulnerabilities/id/ded2f366-375c-4cf6-9cbd-c969a3b3d6d5?source=cve

History

Fri, 31 Jan 2025 20:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Crocoblock Crocoblock jetelements
CPEs		cpe:2.3:a:crocoblock:jetelements::::::wordpress::*
Vendors & Products		Crocoblock Crocoblock jetelements

Tue, 21 Jan 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 21 Jan 2025 08:45:00 +0000

Type	Values Removed	Values Added
Description		The JetElements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including, 2.7.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title		Jet Elements <= 2.7.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets
Weaknesses		CWE-79
References		https://crocoblock.com/changelog/ https://www.wordfence.com/threat-intel/vulnerabilities/id/ded2f366-375c-4cf6-9cbd-c969a3b3d6d5?source=cve
Metrics		cvssV3_1 `{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

Crocoblock Jetelements

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-01-21T08:21:51.697Z

Updated: 2026-04-08T17:28:25.374Z

Reserved: 2025-01-09T23:53:07.499Z

Link: CVE-2025-0371

Vulnrichment

Updated: 2025-01-21T16:36:46.644Z

NVD

Status : Analyzed

Published: 2025-01-21T09:15:07.747

Modified: 2025-01-31T20:16:11.363

Link: CVE-2025-0371

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T04:30:05Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object