Skip to main content

CVE-2025-4968: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in wpbakery WPBakery Visual Composer

Medium
VulnerabilityCVE-2025-4968cvecve-2025-4968cwe-79
Published: Thu Jul 24 2025 (07/24/2025, 03:39:04 UTC)
Source: CVE Database V5
Vendor/Project: wpbakery
Product: WPBakery Visual Composer

Description

The WPBakery Page Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple Page Builder elements (Copyright Element, Hover Box, Separator With Text, FAQ, Single Image, Custom Header, Button, Call To Action, Progress Bar, Pie Chart, Round Chart, and Line Chart) in all versions up to, and including, 8.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AI-Powered Analysis

AILast updated: 07/24/2025, 04:17:48 UTC

Technical Analysis

CVE-2025-4968 is a Stored Cross-Site Scripting (XSS) vulnerability affecting the WPBakery Page Builder plugin for WordPress, specifically versions up to and including 8.4.1. This vulnerability arises from improper neutralization of input during web page generation, classified under CWE-79. The flaw exists in multiple Page Builder elements such as Copyright Element, Hover Box, Separator With Text, FAQ, Single Image, Custom Header, Button, Call To Action, Progress Bar, Pie Chart, Round Chart, and Line Chart. Due to insufficient input sanitization and output escaping on user-supplied attributes, authenticated attackers with contributor-level privileges or higher can inject arbitrary malicious scripts into pages. These scripts execute whenever any user accesses the compromised page, potentially leading to session hijacking, defacement, or unauthorized actions performed in the context of the victim's browser session. The vulnerability does not require user interaction beyond visiting the infected page, and the attack scope is limited to sites using the vulnerable WPBakery plugin versions. The CVSS v3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, privileges required (low), no user interaction, and partial confidentiality and integrity impact without availability impact. No known exploits are currently reported in the wild, but the vulnerability's presence in a widely used WordPress plugin makes it a significant risk for websites relying on WPBakery for content creation and management.

Potential Impact

For European organizations, this vulnerability poses a risk primarily to websites and web applications built on WordPress that utilize the WPBakery Page Builder plugin. Successful exploitation can lead to unauthorized script execution in the browsers of site visitors or administrators, potentially resulting in credential theft, unauthorized actions, or distribution of malware. This can damage organizational reputation, lead to data breaches involving personal data protected under GDPR, and disrupt business operations. Since many European companies use WordPress for marketing, e-commerce, and internal portals, the impact can extend to customer trust and regulatory compliance. The vulnerability's requirement for contributor-level access means insider threats or compromised accounts can be leveraged, increasing the risk in environments with multiple content editors. Additionally, the cross-site scripting can be used as a pivot point for further attacks against users or the organization, including phishing or session hijacking.

Mitigation Recommendations

1. Immediate upgrade: Organizations should update the WPBakery Page Builder plugin to a patched version once available. If no patch is currently released, consider temporarily disabling or removing the plugin to prevent exploitation. 2. Access control hardening: Restrict contributor-level access and above to trusted users only, enforce strong authentication mechanisms, and monitor for suspicious account activity. 3. Input validation and output encoding: Implement additional server-side input validation and output encoding for user-supplied content in custom implementations or overrides of WPBakery elements. 4. Web Application Firewall (WAF): Deploy and configure WAF rules to detect and block typical XSS payloads targeting WPBakery elements. 5. Security monitoring: Enable logging and monitoring of web application activity to detect unusual behavior indicative of exploitation attempts. 6. User awareness: Educate content editors about the risks of injecting untrusted content and the importance of following secure content creation practices. 7. Backup and recovery: Maintain regular backups of website content and configurations to enable rapid restoration if compromise occurs.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Wordfence
Date Reserved
2025-05-19T20:58:07.027Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 6881b066ad5a09ad00303fc9

Added to database: 7/24/2025, 4:02:46 AM

Last enriched: 7/24/2025, 4:17:48 AM

Last updated: 8/15/2025, 3:27:36 AM

Views: 27

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats