The Colibri Page Builder plugin contains a stored cross‑site scripting flaw in the "colibri_loop" shortcode, caused by insufficient input sanitization and output escaping of user‑supplied attributes. Attackers who can authenticate to the WordPress site with contributor‑level or higher privileges can embed arbitrary JavaScript that is persisted in the page content. When a visitor loads the affected page, the script executes in their browser, potentially allowing defacement, cookie theft, or phishing. This vulnerability directly enables an attacker to inject malicious code that runs with the authority of the viewing user, compromising confidentiality and integrity on the site.

ExtendThemes’ Colibri Page Builder plugin is affected. All WordPress sites running any version up to and including 1.0.335 are vulnerable. The issue exists regardless of theme or other plugins, as the flaw is confined to the shortcode handling within Colibri Page Builder.

The CVSS score of 6.4 indicates a medium‑severity issue, while the EPSS score of less than 1% suggests a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog, indicating no known large‑scale exploitation. Exploitation requires an authenticated user with at least contributor access, which most content editors have. The stored nature of the flaw means that once the malicious code is injected, it remains effective for all visitors, so an attacker can compromise the site’s visitors even after the initial injection. Given the combination of moderate severity and low exploitation likelihood, timely patching is recommended to mitigate potential future exploitation.