Description
The WPBakery Page Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several shortcodes in all versions up to, and including, 8.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-08-06
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross-Site Scripting via plugin shortcodes
Action: Patch Now
AI Analysis

Impact

WPBakery Page Builder for WordPress allows authenticated users with contributor or higher privileges to inject arbitrary web scripts by taking advantage of insufficient input sanitization and output escaping on user supplied attributes within multiple shortcodes. The stored XSS flaw results in malicious scripts executing whenever any visitor loads a page that contains the injected content, enabling credential theft, session hijacking, or other malicious actions without the visitor’s knowledge.

Affected Systems

The vulnerability targets the WPBakery Page Builder plugin for WordPress, affecting all released versions up to and including 8.5. Any WordPress site that has the plugin installed and includes users with contributor or higher roles is potentially exposed; the specific WordPress core version is not a factor. No additional external components are required for the exploit.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity, and the EPSS score of less than 1% implies a low current likelihood of exploitation. The flaw is not listed in the CISA KEV catalog, suggesting no publicly known exploits at this time. Nevertheless, an attacker only needs to authenticate as a contributor or higher to inject malicious code, after which the code persists on the site and runs for all subsequent visitors, making it a potentially high-impact vector if the threat actor obtains such credentials.

Generated by OpenCVE AI on April 20, 2026 at 19:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WPBakery Page Builder plugin to version 8.6 or newer, where the issue is resolved.
  • If an upgrade is not immediately possible, restrict contributor and higher role users from adding content that includes shortcodes, or temporarily disable the plugin until a fix is applied.
  • Implement a content security policy that blocks inline script execution and enforce strict script-src directives to reduce the impact of stored XSS.
  • Monitor the site’s logs for unusual script activity and educate users about phishing risk.

Generated by OpenCVE AI on April 20, 2026 at 19:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-23729 The WPBakery Page Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several shortcodes in all versions up to, and including, 8.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Wed, 26 Nov 2025 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Wpbakery page Builder
CPEs cpe:2.3:a:wpbakery:page_builder:*:*:*:*:*:wordpress:*:*
Vendors & Products Wpbakery page Builder

Wed, 06 Aug 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 Aug 2025 08:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpbakery
Wpbakery wpbakery Page Builder
Vendors & Products Wordpress
Wordpress wordpress
Wpbakery
Wpbakery wpbakery Page Builder

Wed, 06 Aug 2025 02:00:00 +0000

Type Values Removed Values Added
Description The WPBakery Page Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several shortcodes in all versions up to, and including, 8.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title WPBakery Page Builder for WordPress <= 8.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Wpbakery Page Builder Wpbakery Page Builder
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:26:39.419Z

Reserved: 2025-07-11T18:10:32.390Z

Link: CVE-2025-7502

cve-icon Vulnrichment

Updated: 2025-08-06T15:28:59.629Z

cve-icon NVD

Status : Analyzed

Published: 2025-08-06T02:15:50.240

Modified: 2025-11-26T13:37:17.087

Link: CVE-2025-7502

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T20:00:10Z

Weaknesses