Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetElements For Elementor jet-elements allows Stored XSS.This issue affects JetElements For Elementor: from n/a through <= 2.7.9.
Published: 2025-08-14
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Crocoblock JetElements For Elementor plugin allows stored cross‑site scripting because input from users is not neutralized before being rendered on pages. An attacker can embed malicious JavaScript that persists in the site’s content. When a visitor loads the affected page, the injected script runs in the visitor’s browser, which can lead to session hijacking, cookie theft, or site defacement.

Affected Systems

WordPress installations that have the JetElements For Elementor plugin installed in any version up to and including 2.7.9 are affected. The flaw applies across all releases from the earliest available through 2.7.9.

Risk and Exploitability

The CVSS v3 base score of 6.5 reflects moderate risk. The EPSS score is below 1 %, indicating a very low probability of exploitation in the wild at the time of analysis. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that attackers would need to inject malicious code through an administrative or trusted user account that can edit content or widgets; once persisted, any user viewing the page would be affected.

Generated by OpenCVE AI on May 2, 2026 at 01:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update JetElements For Elementor to the latest release provided by Crocoblock, as soon as a patch is available.
  • If an update cannot be applied immediately, uninstall or deactivate the plugin to eliminate the attack surface until a fix is released.
  • Restrict editing privileges to trusted administrators only and enforce stricter input sanitization on widget fields so that any user‑supplied content is properly escaped before being stored.

Generated by OpenCVE AI on May 2, 2026 at 01:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24927 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetElements For Elementor allows Stored XSS. This issue affects JetElements For Elementor: from n/a through 2.7.9.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetElements For Elementor allows Stored XSS. This issue affects JetElements For Elementor: from n/a through 2.7.9. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetElements For Elementor jet-elements allows Stored XSS.This issue affects JetElements For Elementor: from n/a through <= 2.7.9.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Fri, 15 Aug 2025 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Crocoblock
Crocoblock jetelements For Elementor
Wordpress
Wordpress wordpress
Vendors & Products Crocoblock
Crocoblock jetelements For Elementor
Wordpress
Wordpress wordpress

Thu, 14 Aug 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 Aug 2025 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetElements For Elementor allows Stored XSS. This issue affects JetElements For Elementor: from n/a through 2.7.9.
Title WordPress JetElements For Elementor Plugin <= 2.7.9 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Crocoblock Jetelements For Elementor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:37.418Z

Reserved: 2025-08-14T09:10:30.443Z

Link: CVE-2025-55714

cve-icon Vulnrichment

Updated: 2025-08-14T19:36:54.740Z

cve-icon NVD

Status : Deferred

Published: 2025-08-14T19:15:44.307

Modified: 2026-04-23T15:32:56.760

Link: CVE-2025-55714

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T01:15:06Z

Weaknesses