Description
The WPBakery Page Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple Page Builder elements (Copyright Element, Hover Box, Separator With Text, FAQ, Single Image, Custom Header, Button, Call To Action, Progress Bar, Pie Chart, Round Chart, and Line Chart) in all versions up to, and including, 8.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-07-24
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS)
Action: Immediate Patch
AI Analysis

Impact

A stored cross‑site scripting flaw exists in the WPBakery Page Builder WordPress plugin, allowing an authenticated user with contributor or higher access to inject arbitrary JavaScript into a page through several builder elements. The attacker can place malicious code into attributes of elements such as Copyright, Hover Box, FAQ, and various charts, and the script will run each time the page is viewed by any user. This vulnerability arises from insufficient input validation and output escaping and is classified as CWE‑79.

Affected Systems

The vulnerability affects all installations of WPBakery Page Builder version 8.4.1 or earlier. It applies to the WordPress plugin distributed by wpbakery and includes all supported page builder components. The plugin is widely deployed on many WordPress sites, making the scope of exposure broad for any site operating on the affected software version.

Risk and Exploitability

The CVSS base score of 6.4 indicates a moderate level of severity. The EPSS score is reported as less than 1%, suggesting a low probability of exploitation at the time, and the vulnerability is not listed in CISA’s KEV catalog. Because exploitation requires only contributor‑level access, it is relatively easy for authenticated users to leverage the flaw. The risk is moderate, especially on sites with many contributors.

Generated by OpenCVE AI on April 22, 2026 at 17:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WPBakery Page Builder to the latest release that resolves the stored XSS flaw; consult the vendor’s release notes for version details.
  • For environments that cannot upgrade immediately, disable write access for contributor roles to the affected Page Builder elements or block the plugin until a patch is applied.
  • After upgrading, verify that user‑supplied attributes are properly escaped and that no legacy scripts remain; apply any vendor‑recommended security hardening steps such as enabling CSP or restricting script execution domains.

Generated by OpenCVE AI on April 22, 2026 at 17:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-22479 The WPBakery Page Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple Page Builder elements (Copyright Element, Hover Box, Separator With Text, FAQ, Single Image, Custom Header, Button, Call To Action, Progress Bar, Pie Chart, Round Chart, and Line Chart) in all versions up to, and including, 8.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Wed, 26 Nov 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Wpbakery page Builder
CPEs cpe:2.3:a:wpbakery:page_builder:*:*:*:*:*:wordpress:*:*
Vendors & Products Wpbakery page Builder

Thu, 24 Jul 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpbakery
Wpbakery wpbakery Visual Composer
Vendors & Products Wordpress
Wordpress wordpress
Wpbakery
Wpbakery wpbakery Visual Composer

Thu, 24 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 24 Jul 2025 04:00:00 +0000

Type Values Removed Values Added
Description The WPBakery Page Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple Page Builder elements (Copyright Element, Hover Box, Separator With Text, FAQ, Single Image, Custom Header, Button, Call To Action, Progress Bar, Pie Chart, Round Chart, and Line Chart) in all versions up to, and including, 8.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title WPBakery Page Builder <= 8.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Page Builder Elements
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Wpbakery Page Builder Wpbakery Visual Composer
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:36:03.519Z

Reserved: 2025-05-19T20:58:07.027Z

Link: CVE-2025-4968

cve-icon Vulnrichment

Updated: 2025-07-24T13:18:34.628Z

cve-icon NVD

Status : Analyzed

Published: 2025-07-24T07:15:53.793

Modified: 2025-11-26T14:37:26.127

Link: CVE-2025-4968

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T17:15:22Z

Weaknesses