Colibri Page Builder < 1.0.334 – Authenticated (Shop manager+) Stored Cross-Site Scripting | CVE 2025-59593 | Plugin Vulnerabilities

Description

The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to 1.0.334 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with shop manager-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

colibri-page-builder

Fixed in 1.0.334

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/ad77a2a3-e24b-43f0-b066-1774ab20e2cd

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

SavPhill (Savphill)

Verified

No

WPVDB ID

1af186bf-dc84-45e6-9ec6-45531679fb23

Timeline

Publicly Published

2025-09-22 (about 9 months ago)

Added

2025-09-26 (about 8 months ago)

Last Updated

2025-09-26 (about 8 months ago)

Other

Published

Title

Published

2024-05-24

Title

WordPress Jitsi Shortcode <= 0.1 - Contributor+ Stored XSS via Shortcode

Published

2024-08-21

Title

The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce < 5.6.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Testimonials Widget Settings

Published

2023-03-16

Title

Newsmag <= 2.4.4 - Subscriber+ Reflected Cross-Site Scripting

Published

2025-01-06

Title

Sina Extension for Elementor < 3.6.0 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Sina Image Differ

Published

2024-02-21

Title

Elementor Addon Elements < 1.13 - Authenticated (Contributor+) Stored Cross-Site Scripting via Content Switcher Widget