WordPress Plugin Vulnerabilities

CoDesigner WooCommerce Builder for Elementor <= 4.28.2 - Author+ Stored XSS

Description

The plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
woolementor
No known fix

References

CVE
CVE-2025-22788
URL
https://patchstack.com/database/wordpress/plugin/woolementor/vulnerability/wordpress-codesigner-plugin-4-7-17-2-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.8 (medium)

Miscellaneous

Original Researcher
Robert DeVore
Verified
No
WPVDB ID
03eab6bd-7d86-4f7b-a6e2-0b7131c2165a

Timeline

Publicly Published
2025-01-13 (about 1 year ago)
Added
2025-01-22 (about 1 year ago)
Last Updated
2026-01-14 (about 2 months ago)

Other

Published
Title
Published
2025-10-17
Title
WPBakery Page Builder < 8.7 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-03-03
Title
Simple Banner < 3.0.4 - Admin+ Stored XSS
Published
2018-10-06
Title
Ultimate Member < 2.0.28 - Multiple XSS
Published
2025-01-24
Title
HT Conctact Form 7 < 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2022-05-04
Title
WP Slider <= 1.4.5 - Admin+ Stored Cross-Site Scripting