WordPress Plugin Vulnerabilities

Visual Composer Website Builder < 45.7.0 - Authenticated (Editor+) Stored Cross-Site Scripting

Description

The Visual Composer Website Builder, Landing Page Builder, Custom Theme Builder, Maintenance Mode & Coming Soon Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 45.6.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

Plugin icon
visualcomposer
Fixed in 45.7.0

References

CVE
CVE-2024-27997
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/f3042586-dd23-487f-a79c-7ad5b5e38677

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.4 (medium)

Miscellaneous

Original Researcher
Phill Sav (Savphill)
Verified
No
WPVDB ID
0d018694-d40f-4c20-a1ca-a907e6cdc620

Timeline

Publicly Published
2024-03-15 (about 2 years ago)
Added
2024-03-20 (about 2 years ago)
Last Updated
2024-03-20 (about 2 years ago)

Other

Published
Title
Published
2025-04-01
Title
Turisbook Booking System <= 1.3.8 - Contributor+ Stored XSS
Published
2026-03-21
Title
Yoast SEO < 27.2 - Contributor+ Stored XSS via 'jsonText' Block Attribute
Published
2024-02-05
Title
Product Labels For Woocommerce < 1.5.4 - Authenticated (Shop manager+) Stored Cross-Site Scripting
Published
2025-10-30
Title
Qzzr Shortcode Plugin <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2023-08-11
Title
Avartan Slider Lite <= 1.5.3 - Reflected XSS