Description
The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the colibri_blog_posts shortcode in all versions up to, and including, 1.0.345 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-12-19
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting allowing arbitrary script execution
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises from insufficient sanitization of the colibri_blog_posts shortcode attributes, allowing attackers to inject arbitrary JavaScript that is stored in the database and rendered when a page containing the shortcode is viewed. This flaw corresponds to CWE‑79. The primary impact is that any user who visits the affected page will execute the injected script in their browser context, potentially leading to credential theft, session hijacking, defacement, or further lateral movement.

Affected Systems

All versions of the Colibri Page Builder plugin up to and including 1.0.345 on WordPress installations are affected. The flaw is exploitable by any authenticated user with contributor level access or higher. Administrators of sites using these versions should assess whether contributors have access to publish or edit posts that can contain the shortcode.

Risk and Exploitability

The CVSS score for this issue is 6.4, indicating moderate severity. The EPSS score is less than 1%, implying that the likelihood of exploitation in the wild is low. It is not listed in the CISA KEV catalog. Exploitability requires an authenticated contributor account, so the attack vector is an authenticated administrative path. Attackers would craft a malicious shortcode, publish or edit a post, and the payload would be served to all users who view the page.

Generated by OpenCVE AI on April 21, 2026 at 00:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Colibri Page Builder 1.0.346 or later, which applies the necessary input sanitization and output escaping.
  • If an upgrade cannot be performed immediately, locate and remove or replace any instances of the colibri_blog_posts shortcode that contain unsanitized attributes from all posts and pages.
  • Restrict contributor roles from publishing or editing posts that include the shortcode, or enforce stricter role management to prevent untrusted users from adding the affected shortcode.
  • Search the WordPress database for existing injected payloads by querying posts containing the shortcode, and manually sanitize or delete any malicious content.

Generated by OpenCVE AI on April 21, 2026 at 00:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Dec 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Extendthemes
Extendthemes colibri Page Builder
Wordpress
Wordpress wordpress
Vendors & Products Extendthemes
Extendthemes colibri Page Builder
Wordpress
Wordpress wordpress

Fri, 19 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 19 Dec 2025 08:30:00 +0000

Type Values Removed Values Added
Description The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the colibri_blog_posts shortcode in all versions up to, and including, 1.0.345 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Colibri Page Builder <= 1.0.345 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Extendthemes Colibri Page Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:29:21.688Z

Reserved: 2025-10-14T14:42:25.674Z

Link: CVE-2025-11747

cve-icon Vulnrichment

Updated: 2025-12-19T15:34:34.731Z

cve-icon NVD

Status : Deferred

Published: 2025-12-19T09:15:45.963

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11747

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T00:45:23Z

Weaknesses