WordPress Plugin Vulnerabilities

Ultimate Addons for WPBakery Page Builder < 3.19.15 - Contributor+ Stored XSS

Description

The plugin does not validate and escape some parameters, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Affects Plugins

Plugin icon
Ultimate_VC_Addons
Fixed in 3.19.15

References

CVE
CVE-2023-46211
URL
https://patchstack.com/database/vulnerability/ultimate_vc_addons/wordpress-ultimate-addons-for-wpbakery-page-builder-plugin-3-19-14-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
5337d43b-27dd-41fa-a850-c66cdc5fa77c

Timeline

Publicly Published
2023-10-19 (about 2 years ago)
Added
2023-11-03 (about 2 years ago)
Last Updated
2023-11-03 (about 2 years ago)

Other

Published
Title
Published
2025-08-14
Title
Webba Booking < 6.0.6 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2015-02-09
Title
Redirection Page <= 1.2 - CSRF/XSS
Published
2024-11-08
Title
Awesome Tool Tip <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-08-13
Title
Gutenberg Blocks, Page Builder – ComboBlocks < 2.2.88 - Authenticated (Contributor+) Stored Cross-Site Scripting via Accordion Block
Published
2023-04-05
Title
Weaver Xtreme Theme < 6.2 - Contributor+ Stored Cross-Site Scripting