Stored Cross-Site Scripting in SeedProd Website Builder Plugin for WordPress
CVE-2025-14785
6.4MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 8 July 2026
What is CVE-2025-14785?
The Website Builder by SeedProd, a plugin for WordPress, suffers from a Stored Cross-Site Scripting vulnerability through its seedprodnestedmenuwidget shortcode. This flaw arises from inadequate sanitization and output escaping of user-supplied attributes, affecting all versions up to and including 6.20.2. Authenticated attackers with contributor-level access and above can exploit this vulnerability, injecting malicious web scripts into pages that execute whenever a user accesses the compromised content.
Affected Version(s)
Website Builder by SeedProd β Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode 0 <= 6.20.2