Description
Missing Authorization vulnerability in dastan800 Visual Builder visual-builder allows Reflected XSS.This issue affects Visual Builder: from n/a through <= 1.2.2.
Published: 2025-05-23
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Visual Builder plugin from dastan800 contains a missing authorization flaw that allows an attacker to inject and execute reflected XSS payloads. Because the flaw is rooted in improper authorization (CWE‑862), an attacker can target authenticated users or the site’s administrators, potentially hijacking sessions, defacing content, or stealing credentials.

Affected Systems

The vulnerability affects all releases of the Visual Builder WordPress plugin up through version 1.2.2. Any site using this plugin—regardless of WordPress version—is at risk unless the plugin is upgraded or disabled.

Risk and Exploitability

With a CVSS base score of 7.1 and an EPSS of less than 1 %, the overall risk is moderate. The flaw is not listed in the CISA KEV catalog, and while the exploitation requires a crafted request to the plugin’s endpoints, it can be delivered via a simple link or form submission. An attacker who successfully delivers the payload could execute client‑side code with the privileges of the victim user, leading to XSS and potential privilege escalation.

Generated by OpenCVE AI on April 30, 2026 at 19:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Visual Builder plugin to a version newer than 1.2.2
  • If an upgrade is not immediately possible, disable the plugin for all users except trusted administrators
  • Implement a Web Application Firewall rule to detect and block reflected XSS payloads

Generated by OpenCVE AI on April 30, 2026 at 19:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28054 Missing Authorization vulnerability in dastan800 Visual Builder allows Reflected XSS. This issue affects Visual Builder: from n/a through 1.2.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in dastan800 Visual Builder allows Reflected XSS. This issue affects Visual Builder: from n/a through 1.2.2. Missing Authorization vulnerability in dastan800 Visual Builder visual-builder allows Reflected XSS.This issue affects Visual Builder: from n/a through <= 1.2.2.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 23 May 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 May 2025 13:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in dastan800 Visual Builder allows Reflected XSS. This issue affects Visual Builder: from n/a through 1.2.2.
Title WordPress Visual Builder plugin <= 1.2.2 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:19:42.298Z

Reserved: 2025-04-24T14:22:54.404Z

Link: CVE-2025-46488

cve-icon Vulnrichment

Updated: 2025-05-23T14:51:23.760Z

cve-icon NVD

Status : Deferred

Published: 2025-05-23T13:15:36.120

Modified: 2026-04-23T15:30:05.890

Link: CVE-2025-46488

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T19:15:16Z

Weaknesses