Stored Cross-Site Scripting Vulnerability in Visual Composer Plugin for WordPress
CVE-2023-6880

6.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Visual Composer Website Builder, Landing Page Builder, Custom Theme Builder, Maintenance Mode & Coming Soon Pages
Vendor: CVE Published:; 13 March 2024

Summary

The Visual Composer plugin for WordPress is susceptible to a Stored Cross-Site Scripting vulnerability caused by inadequate input sanitization and output escaping. This affects all versions up to 45.6.0, allowing authenticated attackers with contributor-level permissions or higher to inject arbitrary web scripts. These injected scripts will execute whenever users access the compromised pages, potentially hijacking sessions, defacing websites, or spreading malware. Website administrators must ensure they upgrade to the latest version and implement proper input validation measures to safeguard against this vulnerability.

Affected Version(s)

Visual Composer Website Builder, Landing Page Builder, Custom Theme Builder, Maintenance Mode & Coming Soon Pages * <= 45.6.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://help.visualcomposer.com/release-notes/

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Mar 13, 2024
Vulnerability Reserved
Dec 15, 2023

Credit

Francesco Carlucci