Description
Missing Authorization vulnerability in Crocoblock JetBlocks For Elementor jet-blocks allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects JetBlocks For Elementor: from n/a through <= 1.3.16.
Published: 2025-05-19
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a broken access control flaw in the WordPress JetBlocks For Elementor plugin. A missing authorization check allows users to execute privileged actions—such as creating, editing, or deleting blocks and page elements—that should be restricted to higher‑level roles. If exploited, an attacker could manipulate site content or potentially pivot to additional weaknesses inherent in the page‑building workflow.

Affected Systems

This issue affects Crocoblock JetBlocks For Elementor plugin versions from the earliest community release through 1.3.16. Any WordPress site that has not yet upgraded beyond 1.3.16 is vulnerable.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.5, indicating high severity, while the EPSS score of <1% suggests a low but non‑zero likelihood of exploitation at present. It is not cataloged in the CISA KEV database. Based on the description, it is inferred that the attack vector is remote via HTTP, and that an authenticated session—although not necessarily an admin session—is sufficient to leverage the flaw. If an attacker can log into the site with any user role, they may be able to perform unauthorized content‑management actions. The absence of a sophisticated exploitation chain makes patching the most effective mitigation.

Generated by OpenCVE AI on May 1, 2026 at 08:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Crocoblock JetBlocks For Elementor to the latest release that fixes the missing authorization check.
  • Review and tighten WordPress user roles, removing any accounts that have unnecessary administrative or editor privileges granted by the plugin.
  • Examine the site for unauthorized block or page modifications and revert any changes that appear to have been made without proper permission.
  • Deploy a web application firewall to monitor and block suspicious requests to JetBlocks endpoints, adding an extra layer of protection until the patch is applied.

Generated by OpenCVE AI on May 1, 2026 at 08:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15800 Missing Authorization vulnerability in Crocoblock JetBlocks For Elementor allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects JetBlocks For Elementor: from n/a through 1.3.16.
History

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Crocoblock JetBlocks For Elementor allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects JetBlocks For Elementor: from n/a through 1.3.16. Missing Authorization vulnerability in Crocoblock JetBlocks For Elementor jet-blocks allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects JetBlocks For Elementor: from n/a through <= 1.3.16.
Title WordPress JetBlocks For Elementor <= 1.3.16 - Broken Access Control Vulnerability WordPress JetBlocks For Elementor plugin <= 1.3.16 - Broken Access Control Vulnerability
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Mon, 19 May 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 19 May 2025 19:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Crocoblock JetBlocks For Elementor allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects JetBlocks For Elementor: from n/a through 1.3.16.
Title WordPress JetBlocks For Elementor <= 1.3.16 - Broken Access Control Vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:17:26.667Z

Reserved: 2025-04-16T06:23:29.555Z

Link: CVE-2025-39451

cve-icon Vulnrichment

Updated: 2025-05-19T19:03:34.249Z

cve-icon NVD

Status : Deferred

Published: 2025-05-19T19:15:50.160

Modified: 2026-04-29T10:16:47.070

Link: CVE-2025-39451

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T08:30:12Z

Weaknesses