CVE-2025-68574 is a DOM-based Cross-site Scripting (XSS) vulnerability found in the voidcoders WPBakery Visual Composer WHMCS Elements plugin, specifically affecting versions up to 1.0.4.3. The vulnerability stems from improper neutralization of input during the generation of web pages, which allows malicious scripts to be injected into the Document Object Model (DOM) on the client side. Unlike reflected or stored XSS, DOM-based XSS occurs entirely in the browser, where the malicious payload is executed when the victim interacts with a crafted URL or page element. This can lead to unauthorized script execution, enabling attackers to steal session cookies, perform actions on behalf of the user, or redirect users to malicious sites. The plugin integrates WPBakery Visual Composer elements into WHMCS, a popular web hosting billing and automation platform, making it a critical component in many web hosting environments. No CVSS score has been assigned yet, and no public exploits are known at this time. However, the vulnerability's nature means it can be exploited without authentication but requires user interaction, such as clicking a malicious link or visiting a compromised page. The lack of a patch link indicates that a fix may not yet be publicly available, emphasizing the need for immediate attention from administrators using this plugin.

For European organizations, this vulnerability could lead to significant risks including theft of user credentials, session hijacking, and unauthorized actions within WHMCS environments. Since WHMCS is widely used by hosting providers and web service companies, exploitation could compromise customer data and disrupt billing or service management processes. The impact on confidentiality is high due to potential exposure of sensitive user information. Integrity is also at risk as attackers could manipulate user sessions or data. Availability impact is generally low for XSS but could be leveraged in phishing campaigns or combined with other attacks to cause broader disruption. Organizations in Europe with large hosting infrastructures or managed service providers using WPBakery Visual Composer WHMCS Elements are particularly vulnerable. The threat could undermine trust in service providers and lead to regulatory consequences under GDPR if personal data is compromised.

1. Monitor voidcoders and WPBakery plugin channels for official patches and apply updates immediately once available. 2. Implement strict Content Security Policies (CSP) to restrict the execution of unauthorized scripts and reduce the impact of XSS attacks. 3. Sanitize and validate all user inputs and URL parameters at both client and server sides to prevent injection of malicious code. 4. Educate users and administrators about the risks of clicking untrusted links and the importance of verifying URLs. 5. Employ web application firewalls (WAF) with rules designed to detect and block XSS payloads targeting WHMCS and WPBakery components. 6. Regularly audit and review plugin usage and configurations to minimize exposure. 7. Consider isolating or sandboxing WHMCS administrative interfaces to limit the scope of potential exploitation. 8. Conduct penetration testing focusing on DOM-based XSS vectors within the affected plugin environment.