CVE-2025-53989

2025-07-16 [email protected]
WordPress PHP XSS

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 11:15 nvd
N/A

DescriptionNVD

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetBlocks For Elementor jet-blocks allows Stored XSS.This issue affects JetBlocks For Elementor: from n/a through <= 1.3.19.

AnalysisAI

Stored cross-site scripting in Crocoblock JetBlocks For Elementor plugin versions up to 1.3.19 enables authenticated attackers to inject malicious scripts into web pages that execute in the browsers of site visitors and administrators. The vulnerability resides in improper input sanitization during page generation, allowing persistent XSS payload storage in the WordPress database. No public exploit code has been identified at time of analysis, though the low EPSS score (0.04%) suggests limited real-world exploitation despite the stored XSS vector.

Technical ContextAI

JetBlocks For Elementor is a WordPress plugin that extends the Elementor page builder with additional content blocks and components. The vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), indicating that user-supplied input is not properly sanitized or escaped before being rendered in HTML output. This allows attackers to inject arbitrary JavaScript code through plugin input fields. The stored nature of this XSS means payloads persist in the WordPress database and execute whenever affected pages are viewed, affecting all site visitors rather than only the attacker's session.

Affected ProductsAI

Crocoblock JetBlocks For Elementor plugin for WordPress, versions 1.3.19 and earlier, are affected. The vulnerability impacts all installations up to and including version 1.3.19. The plugin CPE would be cpe:2.3:a:crocoblock:jet-blocks:*:*:*:*:*:wordpress:*:*. Additional details available from Patchstack vulnerability database at https://patchstack.com/database/Wordpress/Plugin/jet-blocks/vulnerability/wordpress-jetblocks-for-elementor-plugin-1-3-19-cross-site-scripting-xss-vulnerability.

RemediationAI

Update Crocoblock JetBlocks For Elementor plugin to the latest version beyond 1.3.19 immediately through the WordPress plugin dashboard or via direct download from the official plugin repository. The vendor advisory at Patchstack provides confirmation of the vulnerability scope. Until patching is completed, site administrators should restrict plugin usage to trusted users with administrative privileges and regularly audit post and page content for suspicious embedded scripts. WordPress administrators should also consider temporarily disabling the plugin if upgrade is not immediately possible and thorough security review has not been performed.

Share

CVE-2025-53989 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy