Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Builderall Builderall Builder for WordPress builderall-cheetah-for-wp allows Stored XSS.This issue affects Builderall Builder for WordPress: from n/a through <= 3.0.1.
Published: 2025-10-27
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Builderall Builder for WordPress plugin contains an improper neutralization of input during web page generation that allows stored XSS. Injected malicious scripts are persisted in the site’s content and executed in the browsers of all users who view the affected pages. This can lead to session hijacking, data theft, defacement, or installation of additional malware while compromising confidentiality and integrity of user data.

Affected Systems

The vulnerability exists in the Builderall Builder for WordPress product from Builderall, affecting all releases up to and including version 3.0.1. No later releases are indicated as affected.

Risk and Exploitability

With a CVSS score of 6.5, the vulnerability carries moderate severity. The EPSS score below 1% suggests a low probability of exploitation at this time, and it is not listed in the CISA KEV catalog. Attackers would need to inject content through the plugin’s administrative interface or other content‑creation channels, after which any user who views the stored payload can be impacted. The attack vector is likely remote, web‑based, and requires some level of user access to the site’s backend or ability to add content.

Generated by OpenCVE AI on April 29, 2026 at 12:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Builderall Builder for WordPress to the latest version 3.0.2 or newer to remove the vulnerable code
  • If an immediate update is not possible, disable or uninstall the plugin to eliminate the risk of stored XSS
  • Apply a web‑application firewall rule to detect and block typical XSS payloads originating from content entry forms

Generated by OpenCVE AI on April 29, 2026 at 12:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Mon, 27 Oct 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Builderall
Builderall builder For Wordpress
Wordpress
Wordpress wordpress
Vendors & Products Builderall
Builderall builder For Wordpress
Wordpress
Wordpress wordpress

Mon, 27 Oct 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Oct 2025 02:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Builderall Builderall Builder for WordPress builderall-cheetah-for-wp allows Stored XSS.This issue affects Builderall Builder for WordPress: from n/a through <= 3.0.1.
Title WordPress Builderall Builder for WordPress plugin <= 3.0.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Builderall Builder For Wordpress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:00:30.568Z

Reserved: 2025-10-24T14:25:13.438Z

Link: CVE-2025-62987

cve-icon Vulnrichment

Updated: 2025-10-27T14:48:26.989Z

cve-icon NVD

Status : Deferred

Published: 2025-10-27T02:15:59.730

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-62987

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T12:45:11Z

Weaknesses