The vulnerability is a missing authorization flaw that allows users to access or invoke plugin features that should be protected by access control lists. This flaw gives attackers the ability to use JetElements functionality that is normally restricted to higher‑privilege WordPress users, potentially enabling the modification of site content, settings or internal configurations. The impact is a loss of integrity for the affected WordPress site, as unauthorized actors could alter or delete content and adjust plugin options without the expected permissions. The flaw is attributed to CWE‑862.

WordPress installations running the Crocoblock JetElements For Elementor plugin through version 2.7.4.1 are affected. All builds from the earliest release up to and including 2.7.4.1 contain the missing authorization checks, so any site that uses a vulnerable version is at risk. Administrators should verify the plugin version installed on their environment.

With a CVSS score of 7.5 the vulnerability is considered high severity. The EPSS score is less than 1%, indicating a low probability of exploitation in the wild, and the issue is not listed in the CISA KEV catalog. The likely attack vector is through crafted HTTP requests to the plugin’s endpoints; an attacker with the ability to communicate with the WordPress site can trigger the exposed functionality, even from a low‑privilege user account or potentially anonymously if the endpoint accepts non‑authenticated requests.