CVE-2025-55709

Vulnerability

Overview Improper neutralization of input during web page generation in the Visual Composer Website Builder plugin for WordPress leads to a Stored Cross-Site Scripting (XSS) vulnerability. This issue affects all versions prior to 45.15.0, where user-supplied input is not properly sanitized before being stored and later rendered in web pages [1].

Exploitation

Conditions Exploitation requires a privileged user role with the ability to modify content using the plugin. The attacker must interact with a crafted page or submit a malicious form, which then stores the payload. The vulnerability does not require network-level access but does rely on user interaction, such as clicking a link or visiting a specific page [1].

Impact

Successful exploitation allows an attacker to inject arbitrary HTML or JavaScript into web pages viewed by other users. This can be used to perform redirects, display advertisements, or execute other malicious scripts, potentially compromising visitor sessions or defacing the site [1].

Mitigation

The vendor has released version 45.15.0, which addresses the vulnerability. Users are strongly advised to update to this version or later. Patchstack users can enable auto-updates for vulnerable plugins to protect against this and similar threats [1].