Description
The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's colibri_newsletter shortcode in all versions up to, and including, 1.0.334 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-10-11
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting that allows authenticated contributors or higher to inject arbitrary scripts on pages viewed by any user
Action: Patch Immediately
AI Analysis

Impact

The Colibri Page Builder plugin for WordPress is vulnerable to stored Cross‑Site Scripting. The colibri_newsletter shortcode fails to sanitize or escape user‑supplied attributes, enabling an authenticated user with contributor‑level access or greater to store malicious script code that will run whenever a page containing the shortcode is viewed.

Affected Systems

The vulnerability affects the ExtendThemes Colibri Page Builder plugin, all released versions up to and including 1.0.334. Any WordPress installation that has installed this plugin and created or edited a page using the colibri_newsletter shortcode is potentially impacted.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation under current conditions. The vulnerability is not listed in the CISA KEV catalog. Attackers must be authenticated with contributor or higher privileges to inject code, but once injected, the malicious script runs for any visitor to the affected page.

Generated by OpenCVE AI on April 22, 2026 at 16:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Colibri Page Builder to a version newer than 1.0.334, which removes the input sanitization flaw.
  • If an update cannot be applied immediately, remove or disable the colibri_newsletter shortcode from all pages and prevent contributors or higher from adding it.
  • After disabling the shortcode, review existing pages for injected content and cleanse any user data that may contain malicious script before restoration of the shortcode.
  • Restrict contributor permissions or temporarily revoke contributor access until the plugin is updated, to prevent further injection of scripts.
  • Configure the site to serve the affected pages with strict Content‑Security Policy headers that block inline script execution, mitigating the impact of any scripts that may already be embedded.

Generated by OpenCVE AI on April 22, 2026 at 16:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Oct 2025 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Extendthemes
Extendthemes colibri Page Builder
Wordpress
Wordpress wordpress
Vendors & Products Extendthemes
Extendthemes colibri Page Builder
Wordpress
Wordpress wordpress

Tue, 14 Oct 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 11 Oct 2025 02:45:00 +0000

Type Values Removed Values Added
Description The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's colibri_newsletter shortcode in all versions up to, and including, 1.0.334 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Colibri Page Builder <= 1.0.334 - Authenticated (Contributor+) Stored Cross-Site Scripting via colibri_newsletter Shortcode
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Extendthemes Colibri Page Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:35:35.816Z

Reserved: 2025-08-27T20:15:51.490Z

Link: CVE-2025-9560

cve-icon Vulnrichment

Updated: 2025-10-14T13:42:33.781Z

cve-icon NVD

Status : Deferred

Published: 2025-10-11T03:15:31.380

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9560

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T17:00:12Z

Weaknesses