CVE-2025-69390

Vulnerability

Details

The Business Template Blocks for WPBakery (Visual Composer) Page Builder plugin for WordPress versions up to and including 1.3.2 suffers from a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This allows an attacker to inject arbitrary HTML and JavaScript code into the response.

Exploitation

An attacker can exploit this flaw by crafting a malicious URL containing the XSS payload and tricking a privileged user (such as an administrator) into clicking it [1]. The vulnerability requires user interaction, as the victim must perform an action like clicking a link or visiting a crafted page. According to the advisory, this type of vulnerability is moderately dangerous and expected to be used in mass-exploit campaigns targeting thousands of websites [1].

Impact

Successful exploitation enables the attacker to execute arbitrary scripts in the context of the victim's browser, potentially leading to redirects, advertisement injection, or other HTML payloads that execute when visitors access the affected site [1]. This can result in defacement, credential theft, or further compromise of the WordPress installation.

Mitigation

As of the publication date, no official patch has been released for the plugin. However, Patchstack has provided a mitigation rule to block attacks until an official fix is available [1]. Users are strongly advised to update the plugin as soon as a patched version is released, or to contact their hosting provider for assistance.