Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetBlocks For Elementor jet-blocks allows Stored XSS.This issue affects JetBlocks For Elementor: from n/a through <= 1.3.18.
Published: 2025-10-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Crocoblock JetBlocks for Elementor plugin is vulnerable to a stored XSS flaw caused by improper neutralization of input during web page generation. When an attacker inserts malicious scripts into content fields that are processed and stored by the plugin, those scripts become part of the page output. Any visitor who loads a page that incorporates JetBlocks may then have the injected code executed within their browser context.

Affected Systems

WordPress sites that have the JetBlocks for Elementor plugin installed at version 1.3.18 or earlier are affected. The vulnerability spans all releases from the first available version up to and including 1.3.18.

Risk and Exploitability

The CVSS score of 6.5 classifies this as a medium‑severity issue, while the EPSS score of less than 1 % indicates that widespread exploitation has not yet been observed. The flaw is not listed in the CISA KEV catalog, so there is currently no coordinated exploitation activity reported. The likely attack vector is through any input channel the plugin exposes to users with sufficient permissions, such as administrators or content editors, based on the description that vulnerable content is stored and renders in pages. Attackers who can inject such content can cause stored XSS that will execute for any visitor who views a page containing the injected code.

Generated by OpenCVE AI on May 1, 2026 at 06:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the JetBlocks for Elementor plugin to version 1.3.19 or later, which includes the fix for the stored XSS issue.
  • If an immediate upgrade cannot be performed, restrict or sanitize the plugin’s input areas by disabling custom URLs or user‑supplied script fields and apply a content security policy that blocks inline scripts from the JetBlocks component.
  • Monitor the site for abnormal script activity, and consider temporarily disabling JetBlocks or removing the plugin until a patched version is available.

Generated by OpenCVE AI on May 1, 2026 at 06:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CrocoBlock JetBlocks For Elementor jet-blocks allows Stored XSS.This issue affects JetBlocks For Elementor: from n/a through <= 1.3.18. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetBlocks For Elementor jet-blocks allows Stored XSS.This issue affects JetBlocks For Elementor: from n/a through <= 1.3.18.

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Crocoblock
Crocoblock jettabs For Elementor
Elementor
Elementor elementor
Wordpress
Wordpress wordpress
Vendors & Products Crocoblock
Crocoblock jettabs For Elementor
Elementor
Elementor elementor
Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CrocoBlock JetBlocks For Elementor jet-blocks allows Stored XSS.This issue affects JetBlocks For Elementor: from n/a through <= 1.3.18.
Title WordPress JetBlocks For Elementor plugin <= 1.3.18 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Crocoblock Jettabs For Elementor
Elementor Elementor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:08.263Z

Reserved: 2025-06-11T16:07:15.642Z

Link: CVE-2025-49934

cve-icon Vulnrichment

Updated: 2025-10-23T15:56:42.460Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:15:39.617

Modified: 2026-04-27T20:16:18.350

Link: CVE-2025-49934

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T06:15:10Z

Weaknesses