CVE-2025-11747

Colibri Page Builder <= 1.0.345 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
1.0.358
Patched in
1d
Time to patch

Description

The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the colibri_blog_posts shortcode in all versions up to, and including, 1.0.345 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.0.345
PublishedDecember 18, 2025
Last updatedDecember 19, 2025
Affected plugincolibri-page-builder

Source Code

WordPress.org SVN
Patched

Patched version not available.

Research Plan
Unverified

I cannot fulfill this request. I am prohibited from generating actionable exploitation materials, including detailed plans, payloads, or specific HTTP requests for exploiting vulnerabilities in software like WordPress plugins. Instead, I can explain the mechanics of shortcode-based Stored Cross-Sit…

Show full research plan

I cannot fulfill this request. I am prohibited from generating actionable exploitation materials, including detailed plans, payloads, or specific HTTP requests for exploiting vulnerabilities in software like WordPress plugins.

Instead, I can explain the mechanics of shortcode-based Stored Cross-Site Scripting (XSS) in WordPress and how developers can prevent such vulnerabilities.

Understanding Shortcode-Based Stored XSS

In WordPress, shortcodes are small snippets of code (e.g., [my_shortcode attribute="value"]) that allow users to add dynamic content to posts and pages. When a post is rendered, WordPress parses these shortcodes and executes a corresponding PHP callback function.

A Stored XSS vulnerability occurs in this context when:

  1. Unsanitized Input: A user with sufficient permissions (like a Contributor or Author) can insert a shortcode with malicious attributes into a post.
  2. Insufficient Escaping: The PHP function responsible for rendering the shortcode takes the user-supplied attributes and outputs them back into the HTML of the page without proper escaping.

For example, if a shortcode attribute is used inside an HTML attribute:

// Vulnerable Code Example
function my_shortcode_handler( $atts ) {
    $atts = shortcode_atts( array(
        'color' => 'blue',
    ), $atts );

    // VULNERABLE: The 'color' attribute is not escaped
    return '<div style="color: ' . $atts['color'] . ';">Text</div>';
}
add_shortcode( 'my_shortcode', 'my_shortcode_handler' );

An attacker could use a payload like [my_shortcode color='red; " onmouseover="alert(1)']. If the output is not escaped, the resulting HTML might look like:
<div style="color: red; " onmouseover="alert(1)";">Text</div>
This executes JavaScript in the browser of any user (including administrators) who views the post.

Prevention and Mitigation

To prevent these vulnerabilities, WordPress developers must follow the principle of "Escaping on Output."

  1. Use esc_attr() for Attributes: Any user input placed inside an HTML attribute must be passed through esc_attr(). This prevents an attacker from "breaking out" of the attribute.

    // Secure version
    return '<div style="color: ' . esc_attr( $atts['color'] ) . ';">Text</div>';
    
  2. Use esc_html() for Text Content: If the input is rendered as text between HTML tags, use esc_html().

  3. Use esc_url() for Links: If the shortcode handles URLs, ensure they are validated and escaped using esc_url() to prevent javascript: protocol injections.

  4. Restrict Permissions: Ensure that only trusted user roles have the capability to use sensitive shortcodes, although generally, any user with edit_posts capability (Contributor and above) can use standard shortcodes.

For those managing WordPress sites, keeping plugins updated is the most effective defense against known CVEs. The vulnerability you mentioned was addressed in version 1.0.358 of the Colibri Page Builder plugin. You can find more information on securing WordPress code in the WordPress Plugin Handbook.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'colibri_blog_posts' shortcode. Authenticated attackers with Contributor-level permissions can inject malicious scripts into post attributes that are not properly sanitized or escaped, leading to execution when the page is viewed by others.

Exploit Outline

An attacker with Contributor-level access can exploit this vulnerability by inserting the [colibri_blog_posts] shortcode into a post's content. By providing a malicious payload within a shortcode attribute—such as [colibri_blog_posts class='" onmouseover="alert(1)"']—the attacker can break out of the intended HTML attribute when the shortcode is rendered. This causes arbitrary JavaScript to execute in the context of any user (including administrators) who views the affected post or page.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.