Skip to main content

CVE-2025-4965: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in WPBakery Page Builder for WordPress

Medium
VulnerabilityCVE-2025-4965cvecve-2025-4965cwe-79
Published: Thu Jun 19 2025 (06/19/2025, 06:44:49 UTC)
Source: CVE Database V5
Product: WPBakery Page Builder for WordPress

Description

The WPBakery Page Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Grid Builder feature in all versions up to, and including, 8.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AI-Powered Analysis

AILast updated: 06/19/2025, 07:16:35 UTC

Technical Analysis

CVE-2025-4965 is a stored Cross-Site Scripting (XSS) vulnerability found in the WPBakery Page Builder plugin for WordPress, specifically affecting all versions up to and including 8.4.1. The vulnerability arises from improper neutralization of user-supplied input during web page generation within the plugin's Grid Builder feature. Authenticated users with author-level privileges or higher can exploit this flaw by injecting malicious JavaScript code into pages or posts. Because the injected script is stored persistently, it executes whenever any user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or redirection to malicious sites. The vulnerability is classified under CWE-79, indicating insufficient input sanitization and output escaping. The CVSS v3.1 base score is 6.4 (medium severity), with an attack vector of network (remote), low attack complexity, requiring privileges (author-level), no user interaction, and a scope change, impacting confidentiality and integrity but not availability. No known exploits are reported in the wild yet. The vulnerability affects a widely used WordPress plugin, which is popular among European organizations for website content management and e-commerce, making it a relevant threat vector in this region. The absence of a patch at the time of reporting increases the urgency for mitigation through configuration and access control measures.

Potential Impact

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of their web platforms. Exploitation could allow attackers to execute arbitrary scripts in the context of the affected website, potentially stealing session cookies, defacing content, or injecting malicious payloads that compromise user trust and data privacy. Given the GDPR regulatory environment, any data leakage or unauthorized access resulting from such an attack could lead to substantial legal and financial penalties. Organizations relying on WPBakery Page Builder for customer-facing websites, intranets, or e-commerce portals are particularly at risk. The scope of impact extends to any user visiting the compromised pages, including employees and customers, increasing the potential for widespread damage. Additionally, the vulnerability requires authenticated access at author level, which means insider threats or compromised user accounts can be leveraged to exploit this flaw. The medium CVSS score reflects moderate ease of exploitation but significant potential damage to confidentiality and integrity, which is critical for maintaining operational security and compliance in European contexts.

Mitigation Recommendations

Immediately restrict author-level and higher privileges to trusted users only, enforcing strong authentication and monitoring for suspicious activity. Implement Web Application Firewall (WAF) rules specifically targeting WPBakery Page Builder Grid Builder inputs to detect and block malicious script payloads. Regularly audit user-generated content and pages created with the Grid Builder feature for suspicious or unauthorized scripts. Disable or limit the use of the Grid Builder feature if feasible until an official patch or update is released. Ensure WordPress core and all plugins, including WPBakery Page Builder, are kept up to date with the latest security releases once available. Apply Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of XSS attacks. Conduct user training to raise awareness about the risks of privilege misuse and the importance of secure content management practices. Monitor logs for unusual activity patterns related to page creation or modification by author-level users.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Wordfence
Date Reserved
2025-05-19T20:20:43.214Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 6853b5d433c7acc04608c993

Added to database: 6/19/2025, 7:01:40 AM

Last enriched: 6/19/2025, 7:16:35 AM

Last updated: 8/17/2025, 9:55:02 AM

Views: 35

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats