CVE-2025-68574 is a DOM-based Cross-site Scripting (XSS) vulnerability identified in the voidcoders WPBakery Visual Composer WHMCS Elements plugin, specifically affecting versions up to and including 1.0.4.3. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, allowing malicious scripts to be injected into the Document Object Model (DOM) and executed in the context of the victim's browser. This type of XSS is client-side and does not necessarily require server-side script injection, making it harder to detect and mitigate without proper client-side sanitization. The vulnerability can be triggered when a user interacts with a crafted URL or input that the plugin processes insecurely, leading to script execution that can steal cookies, session tokens, or perform actions on behalf of the user. The CVSS 3.1 base score is 6.1, indicating medium severity, with attack vector being network (remote), low attack complexity, no privileges required, but user interaction is necessary. The scope is changed, meaning the vulnerability affects components beyond the vulnerable plugin itself, potentially impacting the broader application environment. No known exploits have been reported in the wild yet, but the presence of this vulnerability in a widely used WordPress page builder and WHMCS integration plugin poses a risk to websites that rely on these tools for content management and billing/service automation. The vulnerability was published on December 24, 2025, and no official patches or fixes are currently linked, emphasizing the need for vigilance and proactive mitigation. The plugin is commonly used in hosting and service provider environments, where WHMCS is prevalent, especially in Europe. Attackers exploiting this vulnerability could compromise user sessions, steal sensitive information, or perform unauthorized actions within the affected web applications.

For European organizations, the impact of CVE-2025-68574 can be significant, particularly for those operating web services, hosting platforms, or client portals that utilize WPBakery Visual Composer alongside WHMCS for billing and customer management. Successful exploitation could lead to theft of session cookies or authentication tokens, enabling attackers to impersonate legitimate users and access sensitive customer data or administrative functions. This compromises confidentiality and integrity of data, potentially leading to data breaches, fraud, or unauthorized changes to service configurations. While availability is not directly impacted, the reputational damage and regulatory consequences under GDPR for data exposure could be severe. European companies in sectors such as web hosting, managed services, and SaaS providers that integrate these plugins are at heightened risk. The vulnerability's requirement for user interaction means phishing or social engineering campaigns could be used to lure victims into triggering the exploit. The medium severity score reflects a moderate but non-negligible risk that should be addressed promptly to prevent escalation or chaining with other vulnerabilities.

1. Monitor voidcoders and WPBakery Visual Composer plugin repositories for official patches addressing CVE-2025-68574 and apply updates immediately upon release. 2. Until patches are available, implement strict input validation and output encoding on all user-supplied data processed by the plugin or related components to prevent malicious script injection. 3. Deploy Content Security Policy (CSP) headers configured to restrict the execution of inline scripts and only allow trusted script sources, reducing the risk of XSS exploitation. 4. Conduct regular security audits and penetration testing focusing on client-side vulnerabilities, especially DOM-based XSS vectors in web applications using WPBakery and WHMCS. 5. Educate users and administrators about phishing risks and encourage cautious behavior regarding clicking unknown or suspicious links that could trigger the vulnerability. 6. Consider using Web Application Firewalls (WAFs) with custom rules to detect and block typical XSS payloads targeting the affected plugin. 7. Review and harden the configuration of WHMCS and WordPress environments to minimize exposure and privilege escalation opportunities. 8. Implement multi-factor authentication (MFA) for administrative access to reduce the impact of stolen session tokens.