CVE-2025-3669 identifies a stored cross-site scripting (XSS) vulnerability in the Supreme Addons for Beaver Builder plugin for WordPress, specifically in the auto_qrcodesabb shortcode. This vulnerability stems from improper neutralization of input during web page generation (CWE-79), where user-supplied attributes are not adequately sanitized or escaped before rendering. Authenticated attackers with contributor-level access or higher can exploit this by injecting arbitrary JavaScript code into pages. Since the malicious script is stored, it executes in the context of any user who visits the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions. The vulnerability affects all plugin versions up to and including 1.0.9. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, requiring privileges (PR:L), no user interaction, and partial impact on confidentiality and integrity but no impact on availability. No public exploits are currently known, but the vulnerability poses a significant risk due to the widespread use of WordPress and the plugin. The lack of patches at the time of reporting necessitates immediate mitigation steps to reduce risk.

The primary impact of this vulnerability is the potential compromise of user confidentiality and integrity on affected WordPress sites. Attackers with contributor-level access can inject persistent malicious scripts, which execute in the browsers of site visitors and administrators. This can lead to session hijacking, credential theft, unauthorized actions performed on behalf of users, defacement, or distribution of malware. For organizations, this can result in reputational damage, loss of customer trust, and potential regulatory consequences if sensitive data is exposed. Since the vulnerability requires authenticated access, the risk is somewhat mitigated, but many WordPress sites allow contributor or higher roles for content editors, increasing the attack surface. The scope includes any site using the vulnerable plugin version, which could be substantial given the popularity of Beaver Builder and its addons. The absence of known exploits reduces immediate threat but does not eliminate future risk.

1. Immediately restrict contributor-level and higher user roles to trusted personnel only, minimizing the risk of malicious input. 2. Monitor and audit user-generated content, especially any content using the auto_qrcodesabb shortcode, for suspicious scripts or anomalies. 3. Implement web application firewall (WAF) rules to detect and block common XSS payloads targeting this vulnerability. 4. Apply any official patches or updates from the vendor as soon as they become available. 5. If patches are not yet available, consider disabling or removing the Supreme Addons for Beaver Builder plugin temporarily to eliminate exposure. 6. Educate content contributors about safe input practices and the risks of injecting untrusted code. 7. Employ Content Security Policy (CSP) headers to restrict script execution sources, mitigating impact if exploitation occurs. 8. Regularly back up website data to enable recovery in case of compromise. 9. Use security plugins that scan for malicious code injections and alert administrators promptly.