CVE-2025-4968 is a Stored Cross-Site Scripting (XSS) vulnerability affecting the WPBakery Page Builder plugin for WordPress, specifically versions up to and including 8.4.1. This vulnerability arises from improper neutralization of input during web page generation, classified under CWE-79. The flaw exists in multiple Page Builder elements such as Copyright Element, Hover Box, Separator With Text, FAQ, Single Image, Custom Header, Button, Call To Action, Progress Bar, Pie Chart, Round Chart, and Line Chart. Due to insufficient input sanitization and output escaping on user-supplied attributes, authenticated attackers with contributor-level privileges or higher can inject arbitrary malicious scripts into pages. These scripts execute whenever any user accesses the compromised page, potentially leading to session hijacking, defacement, or unauthorized actions performed in the context of the victim's browser session. The vulnerability does not require user interaction beyond visiting the infected page, and the attack scope is limited to sites using the vulnerable WPBakery plugin versions. The CVSS v3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, privileges required (low), no user interaction, and partial confidentiality and integrity impact without availability impact. No known exploits are currently reported in the wild, but the vulnerability's presence in a widely used WordPress plugin makes it a significant risk for websites relying on WPBakery for content creation and management.

For European organizations, this vulnerability poses a risk primarily to websites and web applications built on WordPress that utilize the WPBakery Page Builder plugin. Successful exploitation can lead to unauthorized script execution in the browsers of site visitors or administrators, potentially resulting in credential theft, unauthorized actions, or distribution of malware. This can damage organizational reputation, lead to data breaches involving personal data protected under GDPR, and disrupt business operations. Since many European companies use WordPress for marketing, e-commerce, and internal portals, the impact can extend to customer trust and regulatory compliance. The vulnerability's requirement for contributor-level access means insider threats or compromised accounts can be leveraged, increasing the risk in environments with multiple content editors. Additionally, the cross-site scripting can be used as a pivot point for further attacks against users or the organization, including phishing or session hijacking.

1. Immediate upgrade: Organizations should update the WPBakery Page Builder plugin to a patched version once available. If no patch is currently released, consider temporarily disabling or removing the plugin to prevent exploitation. 2. Access control hardening: Restrict contributor-level access and above to trusted users only, enforce strong authentication mechanisms, and monitor for suspicious account activity. 3. Input validation and output encoding: Implement additional server-side input validation and output encoding for user-supplied content in custom implementations or overrides of WPBakery elements. 4. Web Application Firewall (WAF): Deploy and configure WAF rules to detect and block typical XSS payloads targeting WPBakery elements. 5. Security monitoring: Enable logging and monitoring of web application activity to detect unusual behavior indicative of exploitation attempts. 6. User awareness: Educate content editors about the risks of injecting untrusted content and the importance of following secure content creation practices. 7. Backup and recovery: Maintain regular backups of website content and configurations to enable rapid restoration if compromise occurs.