Crocoblock JetBlocks for Elementor includes a stored XSS vulnerability that arises from improper input sanitization during web page generation. An attacker who can inject malicious payloads into content stored by the plugin can later cause client‑side script execution when the affected page is viewed by other users. This can be used to steal session data, deface sites, or perform other malicious client‑side actions. The weakness is classified as CWE‑79.

WordPress installations that have installed the JetBlocks for Elementor plugin in any version up to and including 1.3.19 are affected. The plugin, maintained by Crocoblock, is commonly added to provide custom blocks for the Elementor page builder. Administrators of sites running WordPress with this plugin should verify their installed version and consider upgrading.

The CVSS score of 6.5 indicates a moderate severity public vulnerability. The EPSS score is listed as less than 1%, implying a low probability of exploitation at this time, and the vulnerability is not currently listed in the CISA KEV catalog. Attack vectors for stored XSS typically require the attacker to have sufficient privileges to insert content—such as being an administrator or a user with block management rights—after which the malicious script will execute for any user who views the relevant page. Because the vulnerability is stored, once the payload is inserted it remains until removed, making it persistent across users.