Crocoblock JetBlog contains a DOM‑Based XSS flaw that allows an attacker to inject arbitrary JavaScript when a victim loads a page containing the vulnerable plugin. The flaw arises from improper neutralization of input during web‑page generation, enabling client‑side script execution in the victim’s browser. This can result in session hijacking, credential theft, or defacement of the site’s content as the script runs with the victim’s privileges. The vulnerability is client‑side and does not provide remote code execution on the server, but it can compromise the confidentiality and integrity of user data and the integrity of the web application’s UI.

WordPress sites running Crocoblock JetBlog plugin version 2.4.3 or earlier are affected. No other vendors or versions are listed; the advisory specifies all releases through 2.4.3 are vulnerable.

The CVSS score of 6.5 indicates medium severity. The EPSS score is less than 1 %, implying a very low probability of exploitation at the time of reporting. It is not listed in the CISA KEV catalog. The flaw is a client‑side web‑application vulnerability; an attacker needs only to entice a user to visit a crafted URL or include a malicious payload on the page, so no special authentication or privileged access is required. The likely attack vector is via the front end, where the untrusted data is reflected into the DOM without proper encoding.