Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Extend Themes Colibri Page Builder colibri-page-builder allows Stored XSS.This issue affects Colibri Page Builder: from n/a through < 1.0.334.
Published: 2025-10-22
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The plugin has a stored cross‑site scripting flaw that allows an attacker to inject arbitrary JavaScript into pages viewed by other users. This results in potential theft of session cookies, defacement, or redirection to malicious sites, compromising both confidentiality and integrity of user data.

Affected Systems

The issue applies to the Extend Themes Colibri Page Builder plugin for WordPress in all versions up to but not including 1.0.334. Any WordPress site that has the plugin installed is affected.

Risk and Exploitability

The CVSS score of 5.9 denotes moderate severity, while the EPSS score of less than 1 % indicates a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by embedding malicious script payloads that are stored and served to all site visitors who load the affected content, creating a persistent attack vector.

Generated by OpenCVE AI on April 29, 2026 at 23:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Colibri Page Builder to version 1.0.334 or later to remove the stored XSS flaw.
  • If an immediate update is not possible, deactivate or uninstall the plugin to eliminate the vulnerability surface.
  • As a temporary containment measure, enforce input sanitization on all content rendered by the plugin, for example using WordPress’s wp_kses or related functions.

Generated by OpenCVE AI on April 29, 2026 at 23:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Fri, 30 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Wed, 07 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:extendthemes:colibri_page_builder:*:*:*:*:*:wordpress:*:*

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

 cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N'}

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Extendthemes
Extendthemes colibri Page Builder
Wordpress
Wordpress wordpress
Vendors & Products Extendthemes
Extendthemes colibri Page Builder
Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Extend Themes Colibri Page Builder colibri-page-builder allows Stored XSS.This issue affects Colibri Page Builder: from n/a through < 1.0.334.
Title WordPress Colibri Page Builder Plugin < 1.0.334 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References

Subscriptions

Extendthemes Colibri Page Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:53.101Z

Reserved: 2025-09-17T18:01:27.391Z

Link: CVE-2025-59593

cve-icon Vulnrichment

Updated: 2025-10-22T19:28:26.548Z

cve-icon NVD

Status : Modified

Published: 2025-10-22T15:15:56.407

Modified: 2026-04-27T20:16:24.347

Link: CVE-2025-59593

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T23:45:16Z

Weaknesses