CVE-2025-4968 is a stored cross-site scripting (XSS) vulnerability identified in the WPBakery Visual Composer plugin for WordPress, affecting all versions up to and including 8.4.1. The vulnerability stems from improper neutralization of input during web page generation (CWE-79), specifically due to insufficient sanitization and output escaping of user-supplied attributes in multiple page builder elements such as Copyright Element, Hover Box, Separator With Text, FAQ, Single Image, Custom Header, Button, Call To Action, Progress Bar, Pie Chart, Round Chart, and Line Chart. An attacker with authenticated contributor-level access or higher can inject arbitrary JavaScript code into pages via these elements. Because the malicious scripts are stored in the page content, they execute whenever any user accesses the affected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of users. The vulnerability does not require user interaction beyond visiting the page and has a CVSS 3.1 base score of 6.4 (medium severity), with attack vector network, low attack complexity, privileges required (low), no user interaction, and scope changed. No public exploits are known at this time. The vulnerability highlights the risk of insufficient input validation in widely used WordPress plugins and the importance of strict access control and sanitization in web applications.

The impact of CVE-2025-4968 is significant for organizations running WordPress sites with the WPBakery Visual Composer plugin, especially those allowing contributor-level or higher access to multiple users. Successful exploitation enables attackers to inject persistent malicious scripts that execute in the browsers of any visitors to the compromised pages. This can lead to session hijacking, theft of sensitive user data, unauthorized actions performed with victim privileges, and potential pivoting to further attacks within the organization’s web environment. Since the vulnerability affects a popular page builder plugin used by millions of websites worldwide, the attack surface is large. Compromised sites may suffer reputational damage, data breaches, and regulatory consequences if user data is exposed. The requirement for authenticated access limits exploitation to insiders or compromised accounts, but many organizations have multiple contributors, increasing risk. The vulnerability does not impact availability but threatens confidentiality and integrity of user data and site content.

To mitigate CVE-2025-4968, organizations should immediately update the WPBakery Visual Composer plugin to a patched version once released by the vendor. Until a patch is available, restrict contributor-level and higher access strictly to trusted users and review user permissions regularly. Implement web application firewalls (WAFs) with rules to detect and block common XSS payloads targeting the affected elements. Employ Content Security Policy (CSP) headers to limit script execution sources and reduce impact of injected scripts. Conduct regular security audits of user-generated content and monitor logs for suspicious activity indicative of exploitation attempts. Educate content contributors about safe input practices and the risks of injecting untrusted content. Consider disabling or limiting use of vulnerable page builder elements if feasible. Finally, maintain robust incident response plans to quickly address any detected compromise stemming from this vulnerability.