CVE-2025-39451 HIGH

CVE-2025-39451: WordPress JetBlocks For Elementor plugin <= 1.3.16 - Broken Access Control Vulnerability

Vendor Crocoblock

Product JetBlocks For Elementor

Weakness CWE-862 · Missing authorization

Published May 19, 2025

Last update May 12, 2026

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Missing Authorization vulnerability in Crocoblock JetBlocks For Elementor jet-blocks allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects JetBlocks For Elementor: from n/a through <= 1.3.16.

Explanation of Vulnerability in Simple Terms

02Summary

JetBlocks For Elementor versions up to 1.3.16 lack proper authorization checks, allowing unauthenticated attackers to read sensitive data. An attacker can access information without logging in or requiring any special privileges. Site administrators should update to a version newer than 1.3.16 immediately.

What an attacker can do

03Attacker Capabilities

Read sensitive data from the site without logging in.

Potential impact on your site

04Site Impact

Confidential information may be exposed to anyone on the internet.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

May 19, 2025 CVE published

May 12, 2026 Record updated

External resources

07References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-39451 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities