Description
The Themify Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in all versions up to, and including, 7.6.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 7.6.9.
Published: 2025-09-24
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (CWE‑79)
Action: Apply Patch
AI Analysis

Impact

The vulnerability allows an attacker with Contributor or higher access in the Themify Builder plugin to store malicious script code in editable fields. When any user visits the affected page, the injected scripts run in that user’s browser, compromising confidentiality, integrity, or availability of the site. The weakness arises from insufficient input sanitization and output escaping, a classic Cross‑Site Scripting flaw (CWE‑79).

Affected Systems

The flaw is present in all versions of the Themify Builder plugin for WordPress up to and including 7.6.9. The plugin is developed by themifyme and any WordPress site using a vulnerable version is affected.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity, while the EPSS score below 1 % suggests a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated user with Contributor‑level or higher privileges; the attacker must submit malicious content that is then rendered for all visitors to the page.

Generated by OpenCVE AI on April 22, 2026 at 00:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Themify Builder plugin to version 7.7.0 or later, which resolves the stored XSS issue.
  • Disable the plugin temporarily on critical sites until an upgrade can be applied.
  • Limit or remove Contributor-level access on sites where the plugin is used to prevent injection of malicious content.

Generated by OpenCVE AI on April 22, 2026 at 00:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30960 The Themify Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in all versions up to, and including, 7.6.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 7.6.9.
History

Thu, 25 Sep 2025 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Themify
Themify themify Builder
Wordpress
Wordpress wordpress
Vendors & Products Themify
Themify themify Builder
Wordpress
Wordpress wordpress

Wed, 24 Sep 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Sep 2025 12:45:00 +0000

Type Values Removed Values Added
Description The Themify Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in all versions up to, and including, 7.6.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 7.6.9.
Title Themify Builder <= 7.6.9 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Themify Themify Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:52:22.072Z

Reserved: 2025-08-22T14:58:02.773Z

Link: CVE-2025-9353

cve-icon Vulnrichment

Updated: 2025-09-24T13:00:21.351Z

cve-icon NVD

Status : Deferred

Published: 2025-09-24T13:15:37.213

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9353

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T01:00:04Z

Weaknesses