Description
The Supreme Addons for Beaver Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's auto_qrcodesabb shortcode in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-07-24
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The Supreme Addons for Beaver Builder plugin for WordPress contains an input validation weakness in its auto_qrcodesabb shortcode. Unsanitized, user‑supplied attributes are stored and later rendered without proper escaping, enabling the injection of arbitrary JavaScript. When an authenticated contributor or higher user deploys the shortcode with crafted attributes, the malicious script becomes part of the page content and will execute in the browsers of any visitor who loads the affected page, potentially giving an attacker access to session cookies, defacing content, or executing further actions on behalf of the victim.

Affected Systems

Version 1.0.9 and all earlier releases of the Supreme Addons for Beaver Builder plugin for WordPress, developed by ullakalim8, are affected. The flaw is present in the auto_qrcodesabb shortcode shipped with these releases.

Risk and Exploitability

The CVSS base score of 6.4 places this vulnerability in the medium severity range. The EPSS score of less than 1% indicates that the likelihood of exploitation is currently very low, and the vulnerability is not listed in the CISA KEV catalog, suggesting no known weaponized exploit. An attacker must first authenticate to the WordPress site with a role of Contributor or greater to inject the payload, implying that internal credentials or compromised accounts are required. Once injected, the cross‑site scripting can affect any user who views the compromised page, posing a threat to confidentiality, integrity, and availability of the affected WordPress site.

Generated by OpenCVE AI on April 22, 2026 at 01:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Supreme Addons for Beaver Builder to the latest released version that removes the vulnerable shortcode handling.
  • If an upgrade cannot be performed immediately, revoke Contributor or higher privileges for users who have not been verified, or block the auto_qrcodesabb shortcode on existing content until a patch is applied.
  • Deploy a web application firewall or content security policy that blocks or sanitizes unexpected script tags entered through shortcode attributes.
  • Regularly scan site content for lingering malicious scripts and remove any that are discovered.

Generated by OpenCVE AI on April 22, 2026 at 01:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-22498 The Supreme Addons for Beaver Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's auto_qrcodesabb shortcode in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Thu, 24 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 24 Jul 2025 09:30:00 +0000

Type Values Removed Values Added
Description The Supreme Addons for Beaver Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's auto_qrcodesabb shortcode in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Supreme Addons for Beaver Builder <= 1.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via auto_qrcodesabb Shortcode
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:06:45.764Z

Reserved: 2025-04-15T21:21:31.036Z

Link: CVE-2025-3669

cve-icon Vulnrichment

Updated: 2025-07-24T13:14:34.848Z

cve-icon NVD

Status : Deferred

Published: 2025-07-24T10:15:26.273

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-3669

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T01:15:07Z

Weaknesses