WordPress Plugin Vulnerabilities

Visual Composer Website Builder < 45.11.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description

The Visual Composer Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 45.10.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
visualcomposer
Fixed in 45.11.0

References

CVE
CVE-2025-46254
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/7ece53a2-cbad-4ff8-baad-0e4ec14ecbee

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
muhammad yudha
Verified
No
WPVDB ID
96770ef2-f27a-43a8-9b9d-f1ab8ebbaf9d

Timeline

Publicly Published
2025-04-22 (about 1 year ago)
Added
2025-04-30 (about 1 year ago)
Last Updated
2025-04-30 (about 1 year ago)

Other

Published
Title
Published
2025-02-14
Title
Front End Users < 3.2.31 - Authenticated (Contributor+) Stored Cross-Site Scripting via forgot-password Shortcode
Published
2024-08-16
Title
Icegram < 3.1.26 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2022-12-20
Title
Ibtana – WordPress Website Builder < 1.1.8.8 - Contributor+ Stored XSS via Shortcode
Published
2023-09-24
Title
WP Discord Invite < 2.5.1 - Reflected Cross-Site Scripting via webhook
Published
2025-06-03
Title
WooCommerce Photo Reviews - Review Reminders - Review for Discounts <= 1.3.13 - Reflected Cross-Site Scripting