CVE-2025-47659

Vulnerability

Overview

The WPBakery Visual Composer WHMCS Elements plugin for WordPress (versions up to and including 1.0.4.3) contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw enables an authenticated attacker with elevated privileges to inject arbitrary JavaScript or HTML into the plugin's output, which is then stored and executed when other users (including site visitors) access the affected page.

Exploitation

Requirements

Exploitation requires a user with at least contributor-level privileges to submit crafted input through the plugin's interface. The attacker must then convince a privileged user (e.g., an administrator) to perform an action such as clicking a malicious link or visiting a specially crafted page, triggering the stored payload [1]. This interaction requirement is reflected in the CVSS score of 6.5 (Medium).

Impact

Successful exploitation allows the attacker to execute arbitrary scripts in the context of the victim's browser session. This can lead to session hijacking, defacement, redirection to malicious sites, or theft of sensitive data such as cookies and authentication tokens [1]. The vulnerability is actively targeted in mass-exploit campaigns, affecting thousands of WordPress sites regardless of their size or popularity.

Mitigation

The vendor has not released a patched version as of the publication date. Immediate action is recommended: update the plugin to the latest available version if a fix exists, or disable the plugin until a patch is applied. Site administrators should also review user roles and restrict plugin access to trusted users only [1].