The vulnerability is a stored Cross‑Site Scripting flaw caused by improper neutralization of input in Brainstorm_Force's Ultimate Addons for WPBakery Page Builder. Because user‑supplied data is persisted and later inserted into web pages without adequate escaping, an attacker can inject malicious scripts. This can lead to session hijacking, defacement, or cookie theft. The weakness is a classic input validation failure (CWE‑79).

The flaw affects WordPress sites that have the Ultimate Addons for WPBakery Page Builder plugin installed, specifically any version prior to 3.21.1. All installations using versions from the earliest released (n/a) up to but not including 3.21.1 are vulnerable.

With a CVSS score of 6.5, the vulnerability presents moderate severity. The low EPSS score (<1%) indicates a small probability of exploitation, and the issue is not yet listed in the CISA KEV catalog. Based on the description, it is inferred that the most probable attack vectors involve inserting malicious scripts through the plugin’s content‑editing interfaces or custom fields, where user‑supplied data is stored and later rendered without sanitization, leading to script execution in the browsers of site visitors. If an attacker successfully exploits this flaw, potential impacts include session hijacking, defacement, or cookie theft, affecting all users who view the vulnerable pages.