Improper neutralization of input during web page generation in the Crocoblock JetEngine plugin allows stored XSS, which is an input validation flaw (CWE‑79). The vulnerability is described in the CVE data and indicates that malicious JavaScript can be saved and later rendered to site visitors. Based on the description, it is inferred that an attacker could inject scripts via JetEngine input fields such as forms or content editors, which are then rendered on subsequent page loads.

Any WordPress site running JetEngine version 3.7.3 or earlier is affected. Sites using this plugin for dynamic content, forms, or custom post types may be impacted, as the flaw resides in the plugin’s handling of user‑supplied input.

The CVSS score of 6.5 reflects moderate severity, while the EPSS score of less than 1% indicates a very low near‑term likelihood of exploitation and it is not listed in the CISA KEV catalog. Because the payload would be stored and served to other users, the attack could compromise user sessions or deface content, but the required conditions (an editable form field that accepts raw input) suggest that exploitation is not trivial. The risk assessment therefore remains moderate, with the recommendation to patch promptly before an exploit is discovered or deployed.