Improper neutralization of user‑controlled input leads to stored XSS in the JetElements For Elementor plugin. An attacker can inject malicious JavaScript that executes in the browsers of any user who views a page containing the compromised content, potentially allowing session hijacking, malicious redirects, or cookie theft. This weakness is identified as CWE‑79.

All installations of Crocoblock JetElements For Elementor that are version 2.7.7 or earlier are affected. The vulnerability is present in every release from the earliest unspecified version up to and including 2.7.7, so any site running a legacy or unpatched copy of the plugin faces risk.

The CVSS score of 6.5 indicates a moderate overall severity. An EPSS score of less than 1% suggests that, while exploitation is unlikely, it is still considered plausible, especially if an attacker can inject content through administrative control of the plugin. The vulnerability is not listed in the CISA KEV catalog, so no widespread exploitation has been reported to date. Nonetheless, if an attacker can add or modify content within JetElements, they can introduce the malicious script and compromise all users who view the page. The threat remains significant for sites where the plugin is exposed to privileged content editing or allows users to submit data that ends up rendered by JetElements.