Stored Cross-Site Scripting in WPBakery Page Builder Plugin for WordPress
CVE-2025-4968

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: WPbakery Visual Composer
Vendor: CVE Published:; 24 July 2025

What is CVE-2025-4968?

The WPBakery Page Builder plugin for WordPress is susceptible to Stored Cross-Site Scripting attacks due to insufficient input sanitization and output escaping for various Page Builder elements. Authenticated attackers, with contributor-level permissions or higher, are able to inject malicious scripts into pages. This vulnerability affects all versions up to and including 8.4.1, allowing attackers to execute arbitrary scripts when users visit those compromised pages, posing significant security risks.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

WPBakery Visual Composer * <= 8.4.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://kb.wpbakery.com/docs/preface/release-notes/

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Jul 24, 2025
Vulnerability Reserved
May 19, 2025

Credit

D.Sim

JSON

WordPress