Description
The Ultimate Addons for WPBakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to 3.21.1 (exclusive) due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-10-16
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Now
AI Analysis

Impact

The Ultimate Addons for WPBakery plugin has a stored cross‑site scripting flaw caused by insufficient input sanitization and output escaping. A malicious payload can be stored in a writable field and executed automatically in the browsers of any user who visits the affected page, allowing the attacker to run arbitrary client‑side code. The CVE description does not specify additional consequences such as credential theft or session hijacking.

Affected Systems

All versions of the Ultimate Addons for WPBakery plugin for WordPress prior to 3.21.1, maintained by Brainstorm Force, are affected. Sites running WordPress with the WPBakery Page Builder and the plugin installed and active are at risk.

Risk and Exploitability

The CVSS score of 6.4 classifies the issue as moderate severity, and the EPSS score of less than 1% suggests that exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. Attackers can inject a malicious payload via a writable field in the plugin—even without authentication—so no prior credentials are required. Once stored, the script is delivered to every visitor of the page, resulting in arbitrary client‑side code execution.

Generated by OpenCVE AI on April 28, 2026 at 10:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Ultimate Addons for WPBakery plugin to version 3.21.1 or newer
  • If an upgrade cannot be performed, disable or uninstall the plugin
  • Deploy a web application firewall or security plugin configured to block or filter malicious script payloads

Generated by OpenCVE AI on April 28, 2026 at 10:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 21 Oct 2025 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Brainstormforce
Brainstormforce ultimate Addons For Wpbakery Page Builder
Wordpress
Wordpress wordpress
Vendors & Products Brainstormforce
Brainstormforce ultimate Addons For Wpbakery Page Builder
Wordpress
Wordpress wordpress

Thu, 16 Oct 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Oct 2025 04:45:00 +0000

Type Values Removed Values Added
Description The Ultimate Addons for WPBakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to 3.21.1 (exclusive) due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Ultimate Addons for WPBakery Page Builder < 3.21.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Brainstormforce Ultimate Addons For Wpbakery Page Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:40:57.708Z

Reserved: 2025-10-15T16:02:10.354Z

Link: CVE-2025-11814

cve-icon Vulnrichment

Updated: 2025-10-16T14:35:20.274Z

cve-icon NVD

Status : Deferred

Published: 2025-10-16T05:15:36.880

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11814

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T10:45:29Z

Weaknesses