CVE-2025-10006 is a stored cross-site scripting (XSS) vulnerability identified in the WPBakery Page Builder plugin for WordPress, specifically affecting all versions up to and including 8.6. The vulnerability arises from improper neutralization of input during web page generation, classified under CWE-79. It is located in the handling of the 'rev_slider_vc' shortcode, where user-supplied attributes are not adequately sanitized or escaped before being output on pages. This flaw enables authenticated attackers with contributor-level privileges or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or other malicious actions. Notably, exploitation requires that the RevSlider plugin is also installed, as the vulnerability depends on its shortcode integration. The vulnerability has a CVSS v3.1 base score of 6.4, reflecting a medium severity level, with an attack vector of network, low attack complexity, privileges required at the low level, no user interaction needed, and a scope change. There are no known public exploits in the wild at the time of publication. The vulnerability was reserved in early September 2025 and published in mid-October 2025. The lack of official patches at the time suggests that users should apply workarounds or monitor for updates from the vendor. This vulnerability highlights the risks of insufficient input validation in widely used WordPress plugins, especially when combined with other plugins like RevSlider.

The impact of CVE-2025-10006 on organizations worldwide can be significant, particularly for those relying on WordPress sites using WPBakery Page Builder and RevSlider plugins. Successful exploitation allows an authenticated contributor or higher to inject malicious scripts that execute in the context of other users visiting the compromised pages. This can lead to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, and potential defacement or redirection attacks. Since contributors typically have limited privileges, the vulnerability lowers the barrier for attackers to escalate their influence within the site. The scope change in the CVSS vector indicates that the vulnerability can affect components beyond the initially compromised plugin, potentially impacting the entire WordPress site. Although no known exploits exist currently, the medium severity and ease of exploitation (low complexity, no user interaction) make this a credible threat. Organizations with high-traffic WordPress sites, especially those with multiple contributors, face risks of reputational damage, data breaches, and loss of user trust if exploited. The requirement for RevSlider limits exposure but does not eliminate it, as both plugins are popular. Attackers could leverage this vulnerability as part of broader campaigns targeting WordPress ecosystems.

To mitigate CVE-2025-10006, organizations should take the following specific actions: 1) Immediately audit WordPress sites to identify installations of WPBakery Page Builder and RevSlider plugins, confirming versions and configurations. 2) Restrict contributor-level access to trusted users only, minimizing the risk of malicious insiders or compromised accounts exploiting the vulnerability. 3) Apply any available vendor patches or updates as soon as they are released; monitor WPBakery and RevSlider official channels for security updates. 4) If patches are not yet available, consider temporarily disabling the 'rev_slider_vc' shortcode or the RevSlider plugin to eliminate the attack vector. 5) Implement Web Application Firewall (WAF) rules to detect and block suspicious payloads targeting the shortcode parameters, focusing on script injection patterns. 6) Conduct regular security reviews and scanning for XSS vulnerabilities and signs of compromise on affected sites. 7) Educate site administrators and contributors about the risks of injecting untrusted content and the importance of secure coding practices. 8) Employ Content Security Policy (CSP) headers to restrict execution of unauthorized scripts, reducing the impact of any injected code. These targeted steps go beyond generic advice by focusing on the specific conditions and exploitation path of this vulnerability.