Stored Cross-Site Scripting in Amazing Service Box Addons for WPBakery Page Builder
CVE-2025-2573

6.4MEDIUM

Key Information:

Vendor

WordPress
Status
Amazing Service Box Addons For WPbakery Page Builder (formerly Visual Composer)
Vendor
CVE Published:
26 March 2025

What is CVE-2025-2573?

The Amazing Service Box Addons for WPBakery Page Builder plugin for WordPress presents a vulnerability that allows for Stored Cross-Site Scripting (XSS) through unchecked SVG file uploads. This issue arises from inadequate input sanitization and output escaping, enabling authenticated users with Author-level access and above to inject malicious scripts into webpages. When other users access these SVG files, the injected scripts are executed, which can lead to various security threats such as data theft or site manipulation.

Affected Version(s)

Amazing service box Addons For WPBakery Page Builder (formerly Visual Composer) * <= 2.0.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/amazing-servic...
https://plugins.trac.wordpress.org/browser/amazing-servic...

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Avraham Shemesh
.
CVE-2025-2573 : Stored Cross-Site Scripting in Amazing Service Box Addons for WPBakery Page Builder