The vulnerability is a reflected cross‑site scripting flaw due to improper neutralization of user input when generating web pages. An attacker can inject malicious scripts into URLs or form fields that the plugin processes without adequate output encoding. The resulting script execution can steal user session cookies, deface content, or redirect users to malicious sites, affecting confidentiality and integrity of the web application.

Affected systems include sites running the Business Template Blocks for WPBakery (Visual Composer) Page Builder plugin from any earlier release through version 1.3.2, as supplied by the vendor themebon. The flaw exists in the plugin templates and addons data handling logic that predates the 1.3.3 update.

The CVSS score of 7.1 indicates a high severity, but the EPSS score of less than 1% shows the exploitation probability is currently very low. It is not listed in the CISA KEV catalog. The likely attack vector is a crafted HTTP request that includes malicious script payloads in query parameters or POST data processed by the plugin; an authenticated or public user is not required if the site exposes the vulnerable endpoint to unauthenticated traffic.