Description
The WC Builder – WooCommerce Page Builder for WPBakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'heading_color' parameter (and multiple other styling parameters) of the `wpbforwpbakery_product_additional_information` shortcode in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-12-21
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The WC Builder – WooCommerce Page Builder for WPBakery plugin contains a stored cross‑site scripting flaw that occurs when the heading_color parameter, along with other styling options, is inserted into the wpbforwpbakery_product_additional_information shortcode. Because the plugin does not sanitize or escape the data before persisting it, an attacker can embed arbitrary JavaScript that will run in the browsers of any site visitor. This allows a Shop Manager‑level user or higher to compromise the confidentiality and integrity of the site, potentially hijack sessions, or deface content in a way that is invisible to the default WordPress security tools. The flaw is a classic example of CWE‑79.

Affected Systems

The vulnerability exists in the hasthemes: WC Builder – WooCommerce Page Builder for WPBakery plugin for WordPress. All releases up to and including version 1.2.0 are impacted. Site owners should confirm they are running a version newer than 1.2.0 or have applied the vendor’s fix.

Risk and Exploitability

The CVSS score of 4.4 signals moderate severity, while an EPSS score of < 1 % points to a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated access with Shop Manager or higher privileges, making the attack vector local to the site rather than truly remote; based on the description, the local attack inference is made because the plugin requires such authenticated access, a detail that is logically derived rather than explicitly stated. Once a malicious script is stored, it will execute for every user who views the affected page, creating a widespread risk for all visitors.

Generated by OpenCVE AI on April 22, 2026 at 00:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WC Builder plugin to the latest available version, which removes the insecure handling of the shortcode attributes.
  • If an update is unavailable, remove or disable the wpbforwpbakery_product_additional_information shortcode from all product pages or restrict the ability of Shop Manager users to edit product additional information.
  • Apply a strong content‑security‑policy header to the site to block execution of untrusted JavaScript, reducing the impact of any residual XSS vectors.

Generated by OpenCVE AI on April 22, 2026 at 00:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Dec 2025 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Hasthemes
Hasthemes wc Builder
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Hasthemes
Hasthemes wc Builder
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress

Mon, 22 Dec 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 21 Dec 2025 02:45:00 +0000

Type Values Removed Values Added
Description The WC Builder – WooCommerce Page Builder for WPBakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'heading_color' parameter (and multiple other styling parameters) of the `wpbforwpbakery_product_additional_information` shortcode in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title WC Builder <= 1.2.0 - Authenticated (Shop Manager+) Stored Cross-Site Scripting via 'heading_color' Shortcode Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Hasthemes Wc Builder
Woocommerce Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:51:43.741Z

Reserved: 2025-12-04T17:49:44.131Z

Link: CVE-2025-14054

cve-icon Vulnrichment

Updated: 2025-12-22T20:24:44.676Z

cve-icon NVD

Status : Deferred

Published: 2025-12-21T03:15:52.307

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14054

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T00:15:03Z

Weaknesses