CVE-2025-9353 identifies a stored cross-site scripting (XSS) vulnerability in the Themify Builder plugin for WordPress, a popular page builder tool. The flaw exists due to improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of user-supplied data in several parameters. This allows authenticated users with Contributor-level access or higher to inject arbitrary JavaScript code into pages. When other users access these compromised pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or data theft. The vulnerability affects all versions up to and including 7.6.9, with a partial patch applied in 7.6.9 that may not fully remediate the issue. The attack vector requires network access and authenticated privileges but no user interaction beyond viewing the infected page. The CVSS 3.1 score of 6.4 reflects a medium severity with low attack complexity and partial scope impact, affecting confidentiality and integrity but not availability. No known exploits are currently reported in the wild. This vulnerability is categorized under CWE-79, highlighting improper input neutralization during web page generation. The partial patch status suggests that users should verify the effectiveness of updates or await a full fix.

The primary impact of this vulnerability is on the confidentiality and integrity of data within affected WordPress sites using Themify Builder. Malicious scripts injected by attackers can steal session cookies, enabling account takeover or privilege escalation. Attackers could also manipulate page content or redirect users to malicious sites, damaging reputation and user trust. Since Contributor-level users can exploit this, insider threats or compromised accounts pose a significant risk. Although availability is not directly impacted, secondary effects such as defacement or phishing could indirectly disrupt services. Organizations relying on Themify Builder for content management or e-commerce may face data breaches, unauthorized access, or compliance violations. The scope includes all sites running vulnerable versions, which could be substantial given WordPress’s global popularity. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers often develop exploits after public disclosure.

Organizations should immediately update Themify Builder to the latest version once a full patch is released, as version 7.6.9 only partially addresses the issue. Until then, implement strict role-based access controls to limit Contributor-level and higher permissions to trusted users only. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious script injections targeting Themify Builder parameters. Conduct thorough code reviews and input validation on any custom integrations with the plugin. Monitor logs for unusual activity or unexpected page content changes. Educate users about the risks of XSS and encourage reporting of suspicious behavior. Consider deploying Content Security Policy (CSP) headers to restrict script execution sources, mitigating impact if exploitation occurs. Regularly audit and sanitize existing content to remove any injected scripts. Finally, maintain a robust incident response plan to quickly address any detected compromise.