CVE-2025-48232

Vulnerability

Overview In Xpro Addons For Beaver Builder – Lite versions up to and including 1.5.5, the plugin fails to properly neutralize input during web page generation, leading to a Stored Cross-Site Scripting (XSS) vulnerability [1]. This flaw arises from improper handling of user-supplied data that is later rendered in the browser without adequate sanitization.

Exploitation

Prerequisites The attack requires a privileged user (such as a contributor or higher) to inject malicious script payloads through the Beaver Builder editor interface. Once the crafted content is saved, the payload is stored and executed in the browsers of any user visiting the affected page [1]. No direct user interaction is needed beyond the initial injection by an authenticated user with appropriate permissions.

Impact

Successful exploitation allows an attacker to inject arbitrary JavaScript, HTML, or other script content. This can result in session hijacking, defacement, redirection to malicious sites, or theft of sensitive information when other users, including site visitors, load the compromised page [1].

Mitigation

The vulnerability is addressed in version 1.5.6 of the plugin. Users are advised to update immediately. Auto-update mechanisms for vulnerable plugins can be enabled via Patchstack [1].