A stored cross‑site scripting flaw exists in the App Landing Template Blocks for WPBakery Page Builder plugin. The vulnerability allows an authenticated attacker who holds the Contributor role or higher to inject arbitrary JavaScript through the attributes of the atvc_video_play shortcode. Because the data is not properly sanitized or escaped, any user who loads a page containing the malicious shortcode will execute the attacker’s script. This flaw can be used to deface the site, phish credentials, or execute additional malicious actions, thereby compromising the confidentiality, integrity, and availability of the affected website.

The flaw affects the themebon App Landing Template Blocks for WPBakery (Visual Composer) Page Builder plugin for WordPress. All releases up to and including version 2.0.2 are vulnerable. WordPress sites that have installed the plugin and where users with Contributor or higher roles can edit content are at risk.

The CVSS scoring indicates a medium severity with a 6.4 score, reflecting that the vulnerability is limited to authenticated users. The EPSS score of less than 1% suggests a low probability of exploitation, and the issue is not listed in the CISA KEV catalog. An attacker would need to obtain contributor-level access, insert a malicious shortcode into a page or post, and then entice another site visitor to load that page. While the risk is low, the impact of successful exploitation is significant, warranting prompt remediation.