CVE-2025-10006 is a stored Cross-Site Scripting (XSS) vulnerability identified in the WPBakery Page Builder plugin for WordPress, specifically affecting all versions up to and including 8.6. The vulnerability arises from improper input sanitization and output escaping in the 'rev_slider_vc' shortcode, which is only exploitable when the RevSlider plugin is also installed. Authenticated users with contributor-level access or higher can inject arbitrary JavaScript code into pages via user-supplied shortcode attributes. Because the malicious script is stored in the page content, it executes whenever any user accesses the infected page, potentially leading to session hijacking, privilege escalation, or defacement. The vulnerability does not require user interaction beyond visiting the compromised page and has a CVSS 3.1 base score of 6.4, indicating medium severity. The attack vector is network-based with low attack complexity, requiring privileges but no user interaction. The vulnerability impacts confidentiality and integrity but not availability. No known public exploits have been reported yet. The issue stems from CWE-79, highlighting improper neutralization of input during web page generation. The vulnerability was reserved in early September 2025 and published in mid-October 2025. No official patches or updates have been linked yet, so mitigation relies on access control and disabling vulnerable features.

For European organizations, this vulnerability poses a significant risk to websites using WordPress with the WPBakery Page Builder and RevSlider plugins. Exploitation could lead to unauthorized script execution, enabling attackers to hijack user sessions, steal sensitive information, or deface websites. This can damage organizational reputation, lead to data breaches, and cause compliance issues under regulations such as GDPR. Since contributors can exploit this, insider threats or compromised contributor accounts increase risk. The vulnerability affects the confidentiality and integrity of web content and user data but does not impact availability. Organizations with customer-facing websites or portals relying on these plugins are particularly vulnerable. The lack of known exploits in the wild provides a window for proactive mitigation, but the widespread use of WordPress in Europe means the attack surface is large. Attackers may target high-traffic sites or those with valuable user data, amplifying potential impact.

1. Immediately audit user roles and restrict contributor-level access to trusted personnel only, minimizing the risk of malicious shortcode injection. 2. Disable or remove the 'rev_slider_vc' shortcode if RevSlider is installed and not essential, preventing exploitation of the vulnerable code path. 3. Monitor website content and logs for unusual shortcode usage or injected scripts, employing web application firewalls (WAF) with custom rules targeting this vulnerability. 4. Apply principle of least privilege for all WordPress users and enforce strong authentication mechanisms to reduce risk of account compromise. 5. Regularly update WPBakery Page Builder and RevSlider plugins once patches are released by vendors. 6. Consider implementing Content Security Policy (CSP) headers to restrict execution of unauthorized scripts. 7. Conduct security awareness training for contributors about the risks of injecting untrusted content. 8. Use security plugins that scan for XSS payloads and sanitize inputs proactively. 9. Backup website data frequently to enable quick restoration in case of compromise. 10. Engage with WordPress security communities to stay informed about emerging exploits and patches related to this vulnerability.