The JetElements For Elementor plugin for WordPress contains a DOM‑based Cross‑Site Scripting vulnerability caused by insufficient sanitization of user supplied input during page rendering. An attacker who can influence plugin settings or provide input that is subsequently returned to the browser can inject arbitrary JavaScript, resulting in the execution of malicious code in the victim’s browser. The weakness is classified as CWE‑79.

This flaw affects Crocoblock’s JetElements For Elementor plugin in all releases up to and including version 2.7.12. WordPress sites that have installed any of those versions are vulnerable regardless of hosting environment or WordPress configuration.

The vulnerability receives a CVSS score of 6.5, indicating moderate severity. The Exploit Prediction Scoring System assigns it a probability of less than 1%, suggesting limited known exploitation. It is not listed in CISA’s KEV catalog. Based on the description, it is inferred that exploitation typically occurs via a DOM‑based injection that can be triggered by modifying plugin settings or inserting malicious content that the plugin reflects in client‑side HTML, requiring the victim to load the affected page in their browser.