The vulnerability is a DOM‑based Cross‑Site Scripting flaw due to improper neutralization of user input when generating a web page in the Crocoblock JetWooBuilder plugin. An attacker who can influence the content inserted into the page—such as by crafting a URL or form submission—can cause a victim’s browser to execute arbitrary JavaScript. This can enable session hijacking, credential theft, or defacement without requiring disclosure of additional credentials. The weakness is classified as CWE‑79, indicating inadequate input validation or output encoding. The impact is limited to the user who views the vulnerable page; however, if the site contains privileged content or e‑commerce functions, the potential damage to confidentiality or integrity can be significant.

WordPress sites running the JetWooBuilder plugin, any version from the earliest available release through version 2.1.20. The plugin is distributed by Crocoblock.

The CVSS score of 6.5 places the issue in the moderate severity range, but the EPSS score of less than 1 % indicates a very low likelihood of real‑world exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to insert malicious payloads into a context that is later evaluated by the browser, so the likely attack vector is client‑side, triggered by a user interacting with a crafted link or form. Given the moderate CVSS and low EPSS, the overall risk is moderate, but organizations should not delay remediation because XSS can be a stepping stone to more serious compromises.