Shopbuilder < 3.2.2 – Reflected XSS | CVE 2025-13456 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

Proof of Concept

Prerequisites: Install and configure Elementor and WooCommerce plugins.

1. In the WordPress Admin panel, go to ShopBuilder > Templates Builder and create a new page.
2. Set the template type to "Shop", editor type to "Elementor", and set as "Active Template".
3. Choose "Theme Default Template" and save.
4. Create another page with type "Category Archive", using the same editor and template settings.
5. Once these templates are active, visit: `https://example.com/product-category/uncategorized/?orderby=a%27onclick%3d%27alert(1)%27a` and click to trigger XSS

Affects Plugins

Fixed in 3.2.2

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Gregory Allegoet

Submitter

Gregory Allegoet

Submitter website

https://yiikergiiker.github.io/

Verified

Yes

WPVDB ID

5872ece6-52cb-4306-b7ee-41282815a243

Timeline

Publicly Published

2025-12-12 (about 20 days ago)

Added

2025-12-12 (about 19 days ago)

Last Updated

2025-12-12 (about 19 days ago)

Other

Published

Title

Published

2023-10-11

Title

Copy Or Move Comments <= 5.0.4 - Reflected XSS

Published

2022-01-18

Title

User Registration, Login & Landing Pages <= 1.2.7 - Admin+ Stored Cross-Site Scripting

Published

2025-04-16

Title

Html5 Audio Player < 2.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-07-10

Title

WooCommerce Predictive Search < 6.1.0 - Reflected Cross-Site Scripting

Published

2022-06-23

Title

Loading Page with Loading Screen < 1.0.83 - Admin+ Stored Cross-Site Scripting