Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in voidcoders WPBakery Visual Composer WHMCS Elements void-visual-whmcs-element allows Stored XSS.This issue affects WPBakery Visual Composer WHMCS Elements: from n/a through <= 1.0.4.3.
Published: 2025-05-07
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WPBakery Visual Composer WHMCS Elements plugin contains an input handling flaw that allows stored cross‑site scripting. The vulnerability arises when user input is rendered without proper escaping during page generation. The stored script is then executed in visitors’ browsers, enabling malicious actions such as defacement or credential theft.

Affected Systems

WordPress sites that run the voidcoders WPBakery Visual Composer WHMCS Elements plugin version 1.0.4.3 or earlier are affected. All releases from the first public one up to 1.0.4.3 contain the flaw, while later releases are presumed not to.

Risk and Exploitability

The CVSS score of 6.5 indicates medium severity. The EPSS score of < 1% reflects a low probability of active exploitation today, and the issue is not listed in CISA KEV. The attack surface involves the plugin’s data input interfaces; the failure to escape input allows attacker‑supplied code to be stored and executed when the plugin renders pages for all site visitors. It is not specified whether authentication is required to submit the malicious payload; the CVES description does not indicate this requirement.

Generated by OpenCVE AI on April 30, 2026 at 20:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WPBakery Visual Composer WHMCS Elements plugin to the latest version that eliminates the stored XSS flaw.
  • If an update cannot be applied immediately, deactivate or delete the plugin to prevent further exploitation.
  • Apply a web application firewall rule or enforce a content security policy that blocks execution of injected scripts in pages generated by the plugin until an official patch is available.

Generated by OpenCVE AI on April 30, 2026 at 20:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-13738 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in voidcoders WPBakery Visual Composer WHMCS Elements allows Stored XSS. This issue affects WPBakery Visual Composer WHMCS Elements: from n/a through 1.0.4.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in voidcoders WPBakery Visual Composer WHMCS Elements allows Stored XSS. This issue affects WPBakery Visual Composer WHMCS Elements: from n/a through 1.0.4.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in voidcoders WPBakery Visual Composer WHMCS Elements void-visual-whmcs-element allows Stored XSS.This issue affects WPBakery Visual Composer WHMCS Elements: from n/a through <= 1.0.4.3.
Title WordPress WPBakery Visual Composer WHMCS Elements <= 1.0.4.1 - Cross Site Scripting (XSS) Vulnerability WordPress WPBakery Visual Composer WHMCS Elements plugin <= 1.0.4.3 - Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00039}

 epss

{'score': 0.00045}

Wed, 07 May 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 May 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in voidcoders WPBakery Visual Composer WHMCS Elements allows Stored XSS. This issue affects WPBakery Visual Composer WHMCS Elements: from n/a through 1.0.4.1.
Title WordPress WPBakery Visual Composer WHMCS Elements <= 1.0.4.1 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:49.704Z

Reserved: 2025-05-07T10:45:20.228Z

Link: CVE-2025-47659

cve-icon Vulnrichment

Updated: 2025-05-07T17:19:10.315Z

cve-icon NVD

Status : Deferred

Published: 2025-05-07T15:16:18.380

Modified: 2026-04-23T15:30:41.803

Link: CVE-2025-47659

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T20:30:26Z

Weaknesses