Stored Cross-Site Scripting in WPBakery Page Builder Plugin for WordPress
CVE-2025-4968

6.4MEDIUM

Key Information:

Vendor

WordPress
Status
WPbakery Visual Composer
Vendor
CVE Published:
24 July 2025

What is CVE-2025-4968?

The WPBakery Page Builder plugin for WordPress is susceptible to Stored Cross-Site Scripting attacks due to insufficient input sanitization and output escaping for various Page Builder elements. Authenticated attackers, with contributor-level permissions or higher, are able to inject malicious scripts into pages. This vulnerability affects all versions up to and including 8.4.1, allowing attackers to execute arbitrary scripts when users visit those compromised pages, posing significant security risks.

Affected Version(s)

WPBakery Visual Composer * <= 8.4.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://kb.wpbakery.com/docs/preface/release-notes/

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

D.Sim
.