The WC Builder – WooCommerce Page Builder for WPBakery plugin for WordPress suffers from a stored cross-site scripting vulnerability (CWE-79) due to improper neutralization of input during web page generation. Specifically, the 'heading_color' parameter and multiple other styling parameters in the `wpbforwpbakery_product_additional_information` shortcode are not properly sanitized or escaped. This allows authenticated attackers with Shop Manager or higher privileges to inject arbitrary JavaScript code that executes in the context of users visiting the injected page. The vulnerability affects all versions up to 1.2.0 inclusive. The CVSS 3.1 vector indicates network attack vector, high attack complexity, high privileges required, no user interaction, scope changed, and low impact on confidentiality and integrity, with no impact on availability.

An attacker with Shop Manager-level access or higher can exploit this vulnerability to inject persistent malicious scripts into pages generated by the plugin. These scripts execute in the browsers of users who visit the compromised pages, potentially leading to session hijacking, unauthorized actions, or other client-side impacts. The vulnerability does not affect availability and has a low impact on confidentiality and integrity according to the CVSS score.

No official patch or fix is currently available for this vulnerability. Users should monitor the vendor's advisory channels for updates. Until a fix is released, restrict Shop Manager and higher privileges to trusted users only, as exploitation requires authenticated access at this level. Avoid using the affected shortcode parameters with untrusted input. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.