Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpbakery Templatera templatera allows DOM-Based XSS.This issue affects Templatera: from n/a through <= 2.3.0.
Published: 2025-08-14
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WordPress Templatera plugin contains a DOM‑based cross‑site scripting flaw caused by improper neutralization of user input during page rendering. A malicious actor can inject arbitrary JavaScript that executes in the browser context of any site visitor, potentially allowing theft of session data, credential hijacking, or defacement of the user interface. The vulnerability exploits a failure to escape or filter content injected by the plugin, and the injected script runs with the privileges of the page’s original authorizations. This results in confidentiality and integrity risks to end users and can be leveraged for further attacks such as phishing or malware delivery.

Affected Systems

The vulnerability affects the Templatera plugin supplied by wpbakery. Versions from the initial release through 2.3.0 are impacted. Any WordPress installation running this plugin within that version range is susceptible.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. The EPSS score of < 1 % suggests a low probability of exploitation in the near term, and the vulnerability is not listed in the CISA KEV catalog. Likely attack vectors involve an attacker submitting a crafted payload through the plugin’s input fields that are rendered without proper sanitization. Successful exploitation requires the plugin to be active and the attacker to be able to supply or influence the input data displayed to unsuspecting users.

Generated by OpenCVE AI on April 30, 2026 at 03:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Templatera to a version newer than 2.3.0, which includes the XSS fix
  • If an upgrade cannot be performed immediately, disable or uninstall the Templatera plugin to eliminate the risk
  • For sites that must retain the plugin, enforce a strict Content Security Policy that blocks inline scripts and restricts the use of eval or new Function to mitigate the impact of any remaining malicious content

Generated by OpenCVE AI on April 30, 2026 at 03:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24919 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpbakery Templatera allows DOM-Based XSS. This issue affects Templatera: from n/a through 2.3.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpbakery Templatera allows DOM-Based XSS. This issue affects Templatera: from n/a through 2.3.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpbakery Templatera templatera allows DOM-Based XSS.This issue affects Templatera: from n/a through <= 2.3.0.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Fri, 15 Aug 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 Aug 2025 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpbakery
Wpbakery templatera
Vendors & Products Wordpress
Wordpress wordpress
Wpbakery
Wpbakery templatera

Thu, 14 Aug 2025 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpbakery Templatera allows DOM-Based XSS. This issue affects Templatera: from n/a through 2.3.0.
Title WordPress Templatera Plugin <= 2.3.0 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
Wpbakery Templatera
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:37.092Z

Reserved: 2025-07-28T10:56:48.470Z

Link: CVE-2025-54747

cve-icon Vulnrichment

Updated: 2025-08-15T12:53:00.859Z

cve-icon NVD

Status : Deferred

Published: 2025-08-14T19:15:42.300

Modified: 2026-04-23T15:32:55.703

Link: CVE-2025-54747

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T03:30:27Z

Weaknesses