CVE-2025-53982

2025-07-16 [email protected]
WordPress PHP XSS

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 11:15 nvd
N/A

DescriptionNVD

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetElements For Elementor jet-elements allows Stored XSS.This issue affects JetElements For Elementor: from n/a through <= 2.7.7.

AnalysisAI

Stored cross-site scripting (XSS) in Crocoblock JetElements For Elementor plugin version 2.7.7 and earlier allows authenticated users to inject malicious scripts into web pages that execute in the browsers of other users viewing the affected content. The vulnerability exists in the plugin's input handling during web page generation, enabling persistent XSS attacks through stored payloads. While no public exploit code has been identified, the low EPSS score (0.04%) suggests limited real-world exploitation likelihood despite the moderate attack surface of WordPress plugins.

Technical ContextAI

JetElements For Elementor is a WordPress plugin that extends the Elementor page builder with additional content elements and widgets. The vulnerability stems from improper neutralization of user input (CWE-79) during the generation of HTML content for web pages. The plugin fails to adequately sanitize or escape user-supplied data before rendering it in the page output, allowing attackers to inject arbitrary JavaScript code. Because this is classified as stored XSS rather than reflected, the malicious payload persists in the plugin's data storage (typically WordPress post meta or options tables) and affects all users who access the compromised page or element, not just the initial attacker.

Affected ProductsAI

Crocoblock JetElements For Elementor plugin versions through 2.7.7 are affected. The vulnerability impacts all installations of this WordPress plugin up to and including version 2.7.7. Affected systems are identified by CPE specification for WordPress plugins, specifically those running the jet-elements plugin component of Elementor. Organizations should consult the Patchstack vulnerability database entry for precise version detection and inventory matching.

RemediationAI

Update JetElements For Elementor to version 2.7.8 or later, which contains patches for the input sanitization flaws. Site administrators should immediately upgrade the plugin through the WordPress admin dashboard (Plugins > Installed Plugins > Jet Elements > Update) or via command-line tools like WP-CLI. As an interim measure pending patching, restrict administrative and editing capabilities to trusted users only, implement WordPress security plugins with XSS detection, and review stored content for suspicious scripts if the plugin has been running in production. For detailed patch information and verification, consult the Patchstack vulnerability advisory at https://patchstack.com/database/Wordpress/Plugin/jet-elements/.

Share

CVE-2025-53982 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy