CVE-2025-48154

The vulnerability is a Reflected Cross-site Scripting (XSS) found in the Multimedia Playlist Slider Addon for WPBakery Page Builder plugin (versions <= 2.1). It stems from improper neutralization of input during web page generation, meaning the plugin does not properly sanitize user-supplied input before rendering it in a page response [1].

Exploitation requires user interaction—such as clicking a malicious link or visiting a crafted page—and can be performed by an authenticated user or an external attacker tricking a privileged user into taking that action. The low attack complexity and lack of prerequisites make it accessible for mass-exploit campaigns targeting thousands of WordPress sites [1].

Successful exploitation enables an attacker to inject arbitrary HTML and JavaScript payloads into the victim's browser. This can lead to redirects, unwanted advertisements, data theft, or other harmful actions performed within the context of the session [1].

Patchstack has released a mitigation rule to block attacks. The vendor resolved the issue by releasing version 2.2; users are strongly advised to update immediately. Those unable to update should contact their hosting provider or apply the available virtual patch [1].