Stored Cross-Site Scripting in Colibri Page Builder Plugin for WordPress
CVE-2025-11747

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Colibri Page Builder
Vendor: CVE Published:; 19 December 2025

What is CVE-2025-11747?

The Colibri Page Builder plugin, utilized in WordPress, is prone to a Stored Cross-Site Scripting vulnerability through the colibri_blog_posts shortcode. This issue arises from inadequate input sanitization and escape output processes concerning user-supplied attributes. As a result, authenticated users with contributor-level access or higher can inject malicious scripts into affected webpages. When other users access these compromised pages, the injected scripts will execute, compromising the site's security and potentially leading to data theft, session hijacking, or further exploitation.

Affected Version(s)

Colibri Page Builder * <= 1.0.345

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/colibri-page-b...

https://plugins.trac.wordpress.org/changeset/3421590/coli...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 19, 2025
Vulnerability Reserved
Oct 14, 2025

Credit

Abu Hurayra

JSON