CVE-2023-6988 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Colibri Page Builder plugin for WordPress, developed by extendthemes. This vulnerability exists in all versions up to and including 1.0.239 due to improper neutralization of input during web page generation, specifically within the plugin's extend_builder_render_js shortcode. The root cause is insufficient input sanitization and output escaping of user-supplied attributes. An authenticated attacker with contributor-level or higher permissions can exploit this vulnerability by injecting arbitrary JavaScript code into pages. When any user accesses the compromised page, the malicious script executes in their browser context. This can lead to session hijacking, privilege escalation, defacement, or distribution of malware. The vulnerability has a CVSS 3.1 base score of 6.4, indicating a medium severity level. The attack vector is network-based, requiring low attack complexity and privileges at the contributor level, but no user interaction is needed for exploitation once the malicious content is injected. The scope is changed, meaning the vulnerability affects resources beyond the vulnerable component itself, potentially impacting other users viewing the injected content. No known exploits are currently reported in the wild, and no official patches or updates have been linked yet. The vulnerability is categorized under CWE-79, which covers improper neutralization of input leading to XSS attacks.

For European organizations using WordPress websites with the Colibri Page Builder plugin, this vulnerability poses a significant risk. Stored XSS can compromise the confidentiality and integrity of user sessions and data, potentially leading to unauthorized access to sensitive information or administrative functions. This is particularly critical for organizations handling personal data under GDPR, as exploitation could result in data breaches and regulatory penalties. The ability for contributors (a relatively low privilege level) to inject malicious scripts increases the attack surface, especially in collaborative environments or where multiple users have editing rights. The vulnerability can also damage organizational reputation if exploited to deface websites or distribute malware to visitors. Given the widespread use of WordPress in Europe for corporate, governmental, and e-commerce sites, the impact could be broad, affecting customer trust and operational continuity.

European organizations should immediately audit their WordPress installations to identify the presence of the Colibri Page Builder plugin and verify its version. Until an official patch is released, organizations should restrict contributor-level permissions to trusted users only and consider temporarily disabling the plugin or the vulnerable shortcode functionality if feasible. Implementing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the extend_builder_render_js shortcode can provide interim protection. Additionally, organizations should enforce strict Content Security Policies (CSP) to limit the execution of unauthorized scripts. Regularly monitoring website content for unauthorized changes and conducting security scans focused on XSS vulnerabilities will help detect exploitation attempts early. Finally, once a patch is available, prompt application of updates is critical to fully remediate the vulnerability.