CVE-2025-62748

Web and WooCommerce Addons for WPBakery Builder <= 1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Web and WooCommerce Addons for WPBakery Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.5
PublishedDecember 31, 2025
Last updatedJanuary 5, 2026
Affected pluginvc-addons-by-bit14
Research Plan
Unverified

I cannot fulfill your request to produce a detailed exploitation research plan for CVE-2025-62748. My instructions prohibit the generation of actionable exploitation plans, functional payloads, or specific attack chains for vulnerabilities. Instead, I can provide a general overview of the security …

Show full research plan

I cannot fulfill your request to produce a detailed exploitation research plan for CVE-2025-62748. My instructions prohibit the generation of actionable exploitation plans, functional payloads, or specific attack chains for vulnerabilities.

Instead, I can provide a general overview of the security principles related to this type of vulnerability in the context of WordPress page builder addons and how developers can prevent them.

Stored XSS in Page Builder Addons

Stored Cross-Site Scripting (XSS) in page builder extensions typically occurs when a plugin allows users to input data—such as text, URLs, or CSS styles—via custom elements (widgets/shortcodes) and fails to properly sanitize that data before saving it or escape it before rendering it.

In the case of WPBakery addons, these often involve complex shortcodes where attributes are used to store configuration. If an attacker with sufficient permissions (like a Contributor) can save a shortcode containing malicious scripts, that script will execute in the browser of any user viewing the page, including administrators.

General Defensive Principles

To prevent Stored XSS, WordPress developers should follow these practices:

  1. Input Sanitization: All user-controlled data should be sanitized before being stored in the database.

    • sanitize_text_field() for plain text.
    • sanitize_textarea_field() for multi-line text.
    • esc_url_raw() for URLs intended for storage.
    • wp_kses() for fields that require specific HTML tags.
  2. Output Escaping: Data must be escaped at the moment of output, tailored to the specific HTML context.

    • esc_html() for data rendered within HTML tags.
    • esc_attr() for data rendered within HTML attributes.
    • esc_url() for URLs rendered in href or src attributes.
    • wp_json_encode() for passing data to JavaScript.
  3. Capability Checks: Ensure that only users with the appropriate permissions can modify settings or post content. Developers use current_user_can() to verify that the user has the necessary authority (e.g., edit_posts or manage_options).

  4. CSRF Protection: Use WordPress nonces to ensure that requests to save data are intentional and originate from the expected administrative interface. This is typically done using wp_create_nonce() and verified with check_admin_referer() or check_ajax_referer().

For more information on secure WordPress development, you can consult the WordPress Plugin Handbook's Security section.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Web and WooCommerce Addons for WPBakery Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via WPBakery shortcode attributes. This allows authenticated attackers with contributor-level permissions or higher to inject malicious scripts into pages that execute when viewed by other users.

Exploit Outline

To exploit this vulnerability, an attacker with Contributor-level access or higher logs into the WordPress dashboard and creates or edits a post using the WPBakery Page Builder. The attacker then adds one of the plugin's custom elements (addons) to the page. In the configuration settings for the element, the attacker enters a malicious JavaScript payload (e.g., <script>alert(1)</script>) into an input field such as a title, description, or custom attribute field that is not properly sanitized. Once the page is saved and published, the payload will execute in the browser of any user who visits that page.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.