CVE-2025-3669 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Supreme Addons for Beaver Builder WordPress plugin, specifically affecting all versions up to and including 1.0.9. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), where the plugin's auto_qrcodesabb shortcode fails to adequately sanitize and escape user-supplied attributes. This flaw allows authenticated users with contributor-level access or higher to inject arbitrary malicious scripts into pages. These scripts are then stored and executed in the context of any user who views the compromised page, potentially leading to session hijacking, privilege escalation, or unauthorized actions on behalf of the victim. The vulnerability has a CVSS 3.1 base score of 6.4, indicating a medium severity level. The attack vector is network-based (AV:N), requires low attack complexity (AC:L), and privileges at the contributor level (PR:L), but no user interaction is needed (UI:N). The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially compromised component. Confidentiality and integrity impacts are low, while availability is unaffected. No known exploits are currently reported in the wild, and no official patches have been published yet. The vulnerability was reserved in April 2025 and publicly disclosed in July 2025 by Wordfence.

For European organizations using WordPress sites with the Supreme Addons for Beaver Builder plugin, this vulnerability poses a significant risk. Attackers with contributor-level access—often achievable through compromised accounts or weak internal controls—can inject persistent malicious scripts. This can lead to theft of user credentials, unauthorized actions performed with victim privileges, and potential spread of malware. The impact is particularly critical for organizations relying on WordPress for customer-facing portals, intranets, or e-commerce platforms, where trust and data integrity are paramount. Given the scope change, the vulnerability could allow attackers to affect other components or users beyond the initially compromised plugin. Although availability is not impacted, the confidentiality and integrity of sensitive data could be compromised, leading to reputational damage, regulatory penalties under GDPR, and financial loss. The lack of known exploits in the wild provides a window for proactive mitigation, but the medium severity score underscores the need for timely action.

European organizations should immediately audit their WordPress installations to identify the presence of the Supreme Addons for Beaver Builder plugin, especially versions up to 1.0.9. Since no official patches are currently available, temporary mitigations include restricting contributor-level access strictly to trusted users and implementing a robust review process for content submissions. Employing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious shortcode attribute patterns can help mitigate exploitation attempts. Additionally, organizations should enable Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Regularly monitoring logs for unusual activity related to shortcode usage and user content submissions is advised. Once a patch is released, prompt application is critical. Furthermore, educating content contributors about the risks and enforcing strong authentication mechanisms (e.g., MFA) will reduce the likelihood of account compromise and exploitation.