Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AA-Team Woocommerce Sales Funnel Builder, AA-Team Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer) allows Reflected XSS.This issue affects Woocommerce Sales Funnel Builder: from n/a through 1.1; Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer): from n/a through 1.2.
Published: 2026-01-06
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of input during web page generation enables a reflected XSS flaw (CWE-79) in two AA‑Team WordPress plugins. The vulnerability allows an attacker to inject malicious JavaScript that is executed in the victim’s browser when a crafted request is processed by the plugin.

Affected Systems

Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer) from versions without a known fix up to 1.2, and Woocommerce Sales Funnel Builder from versions without a known fix up to 1.1. These plugins are distributed by AA‑Team and are commonly used on WordPress installations that include WPBakery Page Builder or WooCommerce.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate risk, while the EPSS score of less than 1% suggests a low probability of exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit the flaw by crafting a URL or submitting a form that includes malicious script content reflected by the plugin, requiring only that a victim visit the affected page. The impact is limited to the victim’s browser and does not provide direct server‑side access.

Generated by OpenCVE AI on May 2, 2026 at 08:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the plugins to the latest available versions that contain the fix—install at least 1.2 for the Amazon Affiliates Addon and 1.1 for the Woocommerce Sales Funnel Builder.
  • If an update is not immediately feasible, disable or remove the affected plugin or its specific components until a patched version is released.
  • Deploy a web application firewall rule that blocks or sanitizes reflected XSS payloads targeting the input parameters of these plugins.

Generated by OpenCVE AI on May 2, 2026 at 08:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AA-Team Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer) azon-addon-js-composer allows Reflected XSS.This issue affects Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer): from n/a through <= 1.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AA-Team Woocommerce Sales Funnel Builder, AA-Team Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer) allows Reflected XSS.This issue affects Woocommerce Sales Funnel Builder: from n/a through 1.1; Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer): from n/a through 1.2.
Title WordPress Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer) <= 1.2 - Cross Site Scripting (XSS) Vulnerability Reflected Cross Site Scripting (XSS) vulnerability in AA-Team WordPress plugins
References

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AA-Team Woocommerce Sales Funnel Builder, AA-Team Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer) allows Reflected XSS.This issue affects Woocommerce Sales Funnel Builder: from n/a through 1.1; Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer): from n/a through 1.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AA-Team Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer) azon-addon-js-composer allows Reflected XSS.This issue affects Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer): from n/a through <= 1.2.
Title Reflected Cross Site Scripting (XSS) vulnerability in AA-Team WordPress plugins WordPress Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer) <= 1.2 - Cross Site Scripting (XSS) Vulnerability
References

Wed, 07 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Aa-team
Aa-team amazon Affiliates Addon For Wpbakery Page Builder
Aa-team woocommerce Sales Funnel Builder
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Aa-team
Aa-team amazon Affiliates Addon For Wpbakery Page Builder
Aa-team woocommerce Sales Funnel Builder
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress

Tue, 06 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 06 Jan 2026 20:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AA-Team Woocommerce Sales Funnel Builder, AA-Team Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer) allows Reflected XSS.This issue affects Woocommerce Sales Funnel Builder: from n/a through 1.1; Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer): from n/a through 1.2.
Title Reflected Cross Site Scripting (XSS) vulnerability in AA-Team WordPress plugins
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Aa-team Amazon Affiliates Addon For Wpbakery Page Builder Woocommerce Sales Funnel Builder
Woocommerce Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:56.543Z

Reserved: 2025-03-24T13:01:06.201Z

Link: CVE-2025-30631

cve-icon Vulnrichment

Updated: 2026-01-06T21:03:25.973Z

cve-icon NVD

Status : Deferred

Published: 2026-01-06T21:15:42.407

Modified: 2026-04-28T19:30:21.270

Link: CVE-2025-30631

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T08:30:26Z

Weaknesses