{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24958", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:50:35.464Z", "datePublished": "2026-02-03T14:08:34.584Z", "dateUpdated": "2026-04-28T16:14:51.923Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://crocoblock.com", "defaultStatus": "unaffected", "packageName": "jet-elements", "product": "JetElements For Elementor", "vendor": "Crocoblock", "versions": [{"changes": [{"at": "2.7.12.3", "status": "unaffected"}], "lessThanOrEqual": "2.7.12.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Bonds | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:57.458Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetElements For Elementor jet-elements allows DOM-Based XSS.<p>This issue affects JetElements For Elementor: from n/a through <= 2.7.12.2.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetElements For Elementor jet-elements allows DOM-Based XSS.This issue affects JetElements For Elementor: from n/a through <= 2.7.12.2."}], "impacts": [{"capecId": "CAPEC-588", "descriptions": [{"lang": "en", "value": "DOM-Based XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:51.923Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/jet-elements/vulnerability/wordpress-jetelements-for-elementor-plugin-2-7-12-2-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress JetElements For Elementor plugin <= 2.7.12.2 - Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-03T18:25:44.511306Z", "id": "CVE-2026-24958", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:51:26.420Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-24958", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-03T18:25:44.511306Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T18:24:17.901Z"}}], "cna": {"title": "WordPress JetElements For Elementor plugin <= 2.7.12.2 - Cross Site Scripting (XSS) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Bonds | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-588", "descriptions": [{"lang": "en", "value": "DOM-Based XSS"}]}], "affected": [{"vendor": "Crocoblock", "product": "JetElements For Elementor", "versions": [{"status": "affected", "changes": [{"at": "2.7.12.3", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 2.7.12.2"}], "packageName": "jet-elements", "collectionURL": "https://crocoblock.com", "defaultStatus": "unaffected"}], "datePublic": "2026-02-02T15:56:53.388Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/jet-elements/vulnerability/wordpress-jetelements-for-elementor-plugin-2-7-12-2-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetElements For Elementor jet-elements allows DOM-Based XSS.This issue affects JetElements For Elementor: from n/a through <= 2.7.12.2.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetElements For Elementor jet-elements allows DOM-Based XSS.<p>This issue affects JetElements For Elementor: from n/a through <= 2.7.12.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-02-03T14:08:34.584Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24958", "state": "PUBLISHED", "dateUpdated": "2026-02-03T18:26:31.834Z", "dateReserved": "2026-01-28T09:50:35.464Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-03T14:08:34.584Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetElements For Elementor jet-elements allows DOM-Based XSS.This issue affects JetElements For Elementor: from n/a through <= 2.7.12.2."}, {"lang": "es", "value": "Vulnerabilidad de Neutralizaci\u00f3n Incorrecta de la Entrada Durante la Generaci\u00f3n de P\u00e1ginas Web ('cross-site scripting') en Crocoblock JetElements For Elementor jet-elements permite XSS basado en DOM. Este problema afecta a JetElements For Elementor: desde n/a hasta &lt;= 2.7.12.2."}], "id": "CVE-2026-24958", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-03T15:16:16.550", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/jet-elements/vulnerability/wordpress-jetelements-for-elementor-plugin-2-7-12-2-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T01:19:08.508228+00:00", "value": {"mitigation_remediation": ["Update JetElements to the latest version (\u2265\u202f2.7.12.3) to remove the vulnerable code.", "If an update is not possible, remove or disable the plugin until a patch is available to eliminate the attack surface.", "For any custom code that utilizes the plugin\u2019s input fields, apply proper input sanitization and HTML encoding before rendering to the page, following best practices for preventing XSS."], "summary": {"action": "Immediate Patch", "impact": "Cross Site Scripting"}, "threat_synthesis": {"affected_systems": "Crocsoblock JetElements For Elementor plugin, versions from the earliest release up through 2.7.12.2, is affected. Any WordPress installation that has this plugin installed and has not yet upgraded past 2.7.12.2 is at risk.", "description_and_impact": "The vulnerability is an improper neutralization of input during web page generation that allows an attacker to inject script code into the client\u2019s browser. This DOM\u2011based XSS can execute arbitrary JavaScript in the context of the victim, potentially exposing session cookies, defacing content, or redirecting users to malicious sites. The weakness resides in the JetElements For Elementor plugin, and attackers do not need elevated privileges on the site to utilize it, as the flaw is publicly accessible through user\u2011controlled input fields in the plugin.", "risk_and_exploitability": "The CVSS score of 6.5 indicates a moderate impact with potential for permanent damage to a user session. EPSS is below 1%, suggesting low exploitation probability at the time of analysis. The vulnerability is not in the KEV catalog, so no publicly known exploits are cataloged. Attackers would likely embed malicious script via the plugin\u2019s input fields and rely on browsers performing DOM manipulation, meaning the vector is web\u2011based and requires the victim to visit an affected page."}}}}, "created": "2026-02-04T12:14:08.749300+00:00", "updated": "2026-04-16T01:30:20.305599+00:00", "vendors": ["crocoblock", "crocoblock$PRODUCT$jetelements_for_elementor", "wordpress", "wordpress$PRODUCT$wordpress"]}