CVE-2025-49934

MEDIUM
2025-10-22 [email protected]
WordPress PHP XSS
5.4
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Oct 22, 2025 - 15:15 nvd
MEDIUM 5.4

DescriptionNVD

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetBlocks For Elementor jet-blocks allows Stored XSS.This issue affects JetBlocks For Elementor: from n/a through <= 1.3.18.

AnalysisAI

Stored cross-site scripting (XSS) in Crocoblock JetBlocks For Elementor plugin versions up to 1.3.18 allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of other site visitors. The vulnerability requires user interaction (UI:R) and affects confidentiality and integrity, with an EPSS score of 0.06% indicating very low real-world exploitation likelihood despite the moderate CVSS 5.4 rating.

Technical ContextAI

This is a CWE-79 input validation failure in a WordPress Elementor plugin, where user-supplied data is rendered into web pages without proper HTML entity encoding or content security policy. The Elementor page builder ecosystem integrates dynamically generated content from plugin components (JetBlocks), and the improper neutralization occurs during the rendering phase where user input is converted to page output. The vulnerability is classified as stored XSS rather than reflected, meaning the malicious payload persists in the database and affects multiple users across page views, making it more serious than reflected variants. CPE coverage would typically be WP_PLUGIN_CROCOBLOCK_JETBLOCKS.

Affected ProductsAI

Crocoblock JetBlocks For Elementor plugin for WordPress is affected in versions from initial release through version 1.3.18. The vulnerability exists across all installations of this Elementor page builder extension at or below the 1.3.18 release. More information is available in the Patchstack vulnerability database at https://patchstack.com/database/Wordpress/Plugin/jet-blocks/vulnerability/wordpress-jetblocks-for-elementor-plugin-1-3-18-cross-site-scripting-xss-vulnerability?_s_id=cve.

RemediationAI

Update the JetBlocks For Elementor plugin to the first version released after 1.3.18. WordPress administrators should navigate to the Plugins section, locate JetBlocks For Elementor, and apply the available update immediately. The Patchstack advisory (referenced above) should be consulted for the exact patched version number and any additional configuration recommendations from Crocoblock. Until patching is possible, administrators should restrict the user roles capable of editing Elementor pages and JetBlocks content to trusted personnel only, reducing the likelihood of lower-privilege account compromise.

Share

CVE-2025-49934 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy