The JetElements For Elementor plugin for WordPress contains an improper neutralization of input flaw that allows stored cross‑site scripting. An attacker could inject malicious script payloads into content processed by the plugin, which are then rendered as part of normal web pages for other visitors. This vulnerability permits arbitrary JavaScript execution in the browsers of site users, potentially compromising confidentiality, integrity, and the overall security posture of the web application.

Crocoblock’s JetElements For Elementor plugin, available for WordPress, is vulnerable in all releases up through version 2.7.4.1. Users running any of these affected versions are exposed to the risk.

The CVSS score of 6.5 reflects a moderate severity impact, and the EPSS score of less than 1% indicates a low likelihood of widespread exploitation. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector involves a user with permission to add or edit content that passes through the plugin’s input handling, resulting in a stored payload that is served to all subsequent page views. While the threat may require authenticated access to injection points, the stored nature of the payload means any visitor to the affected site can execute the malicious script.