CVE-2025-64355
Lifecycle Timeline
2Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetElements For Elementor jet-elements allows DOM-Based XSS.This issue affects JetElements For Elementor: from n/a through <= 2.7.12.
Analysis
DOM-based cross-site scripting (XSS) in Crocoblock JetElements For Elementor plugin versions up to 2.7.12 allows attackers to inject malicious scripts into web pages through improper input neutralization during page generation. The vulnerability affects WordPress sites using this Elementor page builder extension and can enable session hijacking, credential theft, or malware distribution against site visitors. EPSS exploitation probability is low at 0.04%, but the attack vector is likely network-based requiring no authentication.
Technical Context
The vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), a class of flaws where user-supplied input is rendered directly into HTML output without proper sanitization or encoding. In DOM-based XSS variants, the attack occurs client-side when JavaScript code processes untrusted data and injects it into the DOM, bypassing server-side input validation. JetElements For Elementor is a WordPress plugin that extends Elementor's page building capabilities; the flaw likely exists in JavaScript handlers that dynamically generate page elements based on user input or URL parameters. DOM-based XSS is particularly dangerous because it can be reflected in URLs or stored in local/session storage, allowing attackers to craft malicious links or payloads that execute when the vulnerable JavaScript processes them.
Affected Products
Crocoblock JetElements For Elementor (WordPress plugin) versions from the earliest release through 2.7.12 are affected. The plugin is distributed via the official WordPress plugin repository and directly from Crocoblock; the exact initial affected version is not specified in available data, but the vulnerability is confirmed present in all releases up to and including 2.7.12. Organizations using JetElements for Elementor to build dynamic pages with Elementor should treat all versions up to 2.7.12 as vulnerable. Reference: https://patchstack.com/database/Wordpress/Plugin/jet-elements/vulnerability/wordpress-jetelements-for-elementor-plugin-2-7-12-cross-site-scripting-xss-vulnerability?_s_id=cve
Remediation
Update JetElements For Elementor to a version newer than 2.7.12 immediately; consult the plugin's official changelog and Patchstack advisory to confirm the exact patched version released to address CVE-2025-64355. If an immediate upgrade is not feasible, disable the JetElements plugin until a patched version is available. Additionally, implement Content Security Policy (CSP) headers on the WordPress site to restrict inline script execution and mitigate XSS impact. Review the plugin's settings and any custom configurations to identify if user input is being rendered in page templates without sanitization. Test the updated plugin version in a staging environment before production deployment to ensure compatibility with existing Elementor designs. Reference: https://patchstack.com/database/Wordpress/Plugin/jet-elements/vulnerability
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today