CVE-2025-14054 is a stored cross-site scripting (XSS) vulnerability identified in the WC Builder – WooCommerce Page Builder for WPBakery plugin for WordPress, which is widely used to enhance WooCommerce product pages. The vulnerability stems from improper neutralization of input during web page generation (CWE-79), specifically through the 'heading_color' parameter and multiple other styling parameters within the wpbforwpbakery_product_additional_information shortcode. Due to insufficient input sanitization and lack of proper output escaping, authenticated users with Shop Manager-level access or higher can inject arbitrary JavaScript code into pages. This malicious code is stored persistently and executed in the context of any user who views the compromised page, potentially leading to session hijacking, privilege escalation, or data theft. The CVSS v3.1 base score is 4.4 (medium severity), reflecting that exploitation requires network access, high attack complexity, and high privileges, but no user interaction is needed. The vulnerability affects all plugin versions up to and including 1.2.0. No official patches or updates are currently linked, and no known exploits have been reported in the wild. The vulnerability's scope includes any WordPress site using this plugin version, particularly e-commerce sites relying on WooCommerce and WPBakery Page Builder. The issue highlights the importance of rigorous input validation and output encoding in plugin development to prevent XSS attacks that can compromise site security and user trust.

The primary impact of CVE-2025-14054 is the potential for attackers with Shop Manager or higher privileges to inject persistent malicious scripts into WooCommerce product pages. This can lead to unauthorized actions such as session hijacking, theft of sensitive customer information, unauthorized changes to site content, or further privilege escalation within the WordPress environment. Since the malicious scripts execute in the context of users visiting the infected pages, including administrators or customers, the confidentiality and integrity of data are at risk. Although availability is not directly impacted, the reputational damage and potential regulatory consequences from data breaches can be significant. Organizations running affected versions of the plugin may face increased risk of targeted attacks, especially if attackers gain Shop Manager access through compromised credentials or insider threats. The medium CVSS score reflects the requirement for high privileges and the absence of user interaction, limiting the ease of exploitation but not eliminating the threat. E-commerce sites relying on WooCommerce and WPBakery Page Builder are particularly vulnerable, as compromise could affect online sales, customer trust, and compliance with data protection regulations.

To mitigate CVE-2025-14054, organizations should first verify if they are using the WC Builder – WooCommerce Page Builder for WPBakery plugin version 1.2.0 or earlier. If so, they should monitor vendor communications for official patches or updates addressing this vulnerability and apply them promptly once available. In the absence of an official patch, administrators should restrict Shop Manager and higher privileges to trusted personnel only, implementing strict access controls and multi-factor authentication to reduce the risk of credential compromise. Reviewing and sanitizing any existing shortcode parameters, especially 'heading_color' and other styling inputs, can help identify and remove injected scripts. Employing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious script injections targeting these parameters can provide additional protection. Regular security audits and monitoring of WordPress logs for unusual activity related to shortcode usage are recommended. Additionally, educating site administrators about the risks of XSS and enforcing the principle of least privilege can reduce the attack surface. Finally, consider isolating critical administrative interfaces and using Content Security Policy (CSP) headers to limit the execution of unauthorized scripts.