WordPress Plugin Vulnerabilities

Live Composer – Free WordPress Website Builder < 2.0.3 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting

Description

The Live Composer – Free WordPress Website Builder plugin for WordPress is vulnerable to multiple Stored Cross-Site Scripting vulnerabilities via DOM manipulation in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
live-composer-page-builder
Fixed in 2.0.3

References

CVE
CVE-2025-13537
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/a9f8ab73-8c2a-4551-bad9-4e5cc67231e5

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Webbernaut
Verified
No
WPVDB ID
4d901723-3e93-481f-bce6-ed9c05a2accd

Timeline

Publicly Published
2025-12-16 (about 6 months ago)
Added
2025-12-17 (about 6 months ago)
Last Updated
2025-12-17 (about 6 months ago)

Other

Published
Title
Published
2025-09-22
Title
CubeWP < 1.1.27 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-02-12
Title
Puzzles < 4.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2026-02-06
Title
OMIGO <= 3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2025-01-07
Title
Simple Locator <= 2.0.4 - Reflected Cross-Site Scripting
Published
2014-08-01
Title
WooCommerce SagePay Direct Payment Gateway 0.1.6.6 - pages/3DRedirect.php Multiple Parameter Reflected XSS