CVE-2025-10006 is a stored cross-site scripting (XSS) vulnerability identified in the WPBakery Page Builder plugin for WordPress, specifically in the handling of the 'rev_slider_vc' shortcode. This vulnerability exists due to insufficient sanitization and escaping of user-supplied attributes, allowing an attacker with authenticated contributor-level access or higher to inject arbitrary JavaScript code into pages. The malicious scripts are stored persistently and executed whenever any user accesses the affected page, potentially leading to session hijacking, privilege escalation, or data theft. Exploitation requires the presence of the RevSlider plugin alongside WPBakery Page Builder, as the vulnerability is tied to the interaction between these components. The vulnerability affects all versions up to and including 8.6 of WPBakery Page Builder. The CVSS 3.1 base score is 6.4, indicating a medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No public exploits have been reported yet, but the vulnerability poses a significant risk due to the widespread use of WPBakery and RevSlider in WordPress sites. The flaw is categorized under CWE-79, which relates to improper neutralization of input during web page generation, a common cause of XSS vulnerabilities. Mitigation requires patching or applying strict input validation and output encoding, especially for shortcode attributes. Organizations should also audit user roles and restrict contributor-level access to trusted users only.

For European organizations, this vulnerability can lead to unauthorized script execution within trusted WordPress sites, potentially compromising user sessions, stealing sensitive information, or enabling further attacks such as privilege escalation or malware distribution. Given the popularity of WordPress and WPBakery Page Builder in Europe, especially among SMEs and content-heavy websites, the risk of exploitation could result in reputational damage, regulatory non-compliance (e.g., GDPR breaches due to data exposure), and operational disruption. The requirement for contributor-level access limits the attack surface but insider threats or compromised accounts could facilitate exploitation. The dependency on RevSlider being installed narrows the affected population but many sites bundle these plugins together, increasing exposure. The vulnerability’s ability to affect confidentiality and integrity without impacting availability means attackers can stealthily compromise data or user trust without immediate detection. European organizations with public-facing WordPress sites should consider this a moderate but actionable threat, particularly in sectors handling personal data or critical services.

1. Immediately update WPBakery Page Builder to a patched version once available, or apply vendor-provided security patches. 2. If patching is not immediately possible, disable or remove the RevSlider plugin to eliminate the attack vector. 3. Restrict contributor-level and higher access to trusted personnel only, and regularly audit user roles and permissions. 4. Implement Web Application Firewall (WAF) rules to detect and block malicious payloads targeting the 'rev_slider_vc' shortcode parameters. 5. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on WordPress sites. 6. Conduct regular security reviews and code audits of custom shortcodes or plugins that interact with user input. 7. Monitor logs for unusual activity or injection attempts related to shortcode usage. 8. Educate content editors and administrators about the risks of XSS and safe content practices. 9. Consider isolating WordPress instances or using containerization to limit potential lateral movement if exploited.