Web and WooCommerce Addons for WPBakery Builder <= 1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description
The Web and WooCommerce Addons for WPBakery Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NTechnical Details
<=1.5I cannot fulfill your request to produce a detailed exploitation research plan for CVE-2025-62748. My instructions prohibit the generation of actionable exploitation plans, functional payloads, or specific attack chains for vulnerabilities. Instead, I can provide a general overview of the security …
Show full research plan
I cannot fulfill your request to produce a detailed exploitation research plan for CVE-2025-62748. My instructions prohibit the generation of actionable exploitation plans, functional payloads, or specific attack chains for vulnerabilities.
Instead, I can provide a general overview of the security principles related to this type of vulnerability in the context of WordPress page builder addons and how developers can prevent them.
Stored XSS in Page Builder Addons
Stored Cross-Site Scripting (XSS) in page builder extensions typically occurs when a plugin allows users to input data—such as text, URLs, or CSS styles—via custom elements (widgets/shortcodes) and fails to properly sanitize that data before saving it or escape it before rendering it.
In the case of WPBakery addons, these often involve complex shortcodes where attributes are used to store configuration. If an attacker with sufficient permissions (like a Contributor) can save a shortcode containing malicious scripts, that script will execute in the browser of any user viewing the page, including administrators.
General Defensive Principles
To prevent Stored XSS, WordPress developers should follow these practices:
Input Sanitization: All user-controlled data should be sanitized before being stored in the database.
sanitize_text_field()for plain text.sanitize_textarea_field()for multi-line text.esc_url_raw()for URLs intended for storage.wp_kses()for fields that require specific HTML tags.
Output Escaping: Data must be escaped at the moment of output, tailored to the specific HTML context.
esc_html()for data rendered within HTML tags.esc_attr()for data rendered within HTML attributes.esc_url()for URLs rendered inhreforsrcattributes.wp_json_encode()for passing data to JavaScript.
Capability Checks: Ensure that only users with the appropriate permissions can modify settings or post content. Developers use
current_user_can()to verify that the user has the necessary authority (e.g.,edit_postsormanage_options).CSRF Protection: Use WordPress nonces to ensure that requests to save data are intentional and originate from the expected administrative interface. This is typically done using
wp_create_nonce()and verified withcheck_admin_referer()orcheck_ajax_referer().
For more information on secure WordPress development, you can consult the WordPress Plugin Handbook's Security section.
Summary
The Web and WooCommerce Addons for WPBakery Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via WPBakery shortcode attributes. This allows authenticated attackers with contributor-level permissions or higher to inject malicious scripts into pages that execute when viewed by other users.
Exploit Outline
To exploit this vulnerability, an attacker with Contributor-level access or higher logs into the WordPress dashboard and creates or edits a post using the WPBakery Page Builder. The attacker then adds one of the plugin's custom elements (addons) to the page. In the configuration settings for the element, the attacker enters a malicious JavaScript payload (e.g., <script>alert(1)</script>) into an input field such as a title, description, or custom attribute field that is not properly sanitized. Once the page is saved and published, the payload will execute in the browser of any user who visits that page.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.