CVE-2025-11376
Stored XSS in Colibri Page Builder 'colibri_loop' Shortcode
Publication date: 2025-12-13
Last updated on: 2025-12-13
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | colibri_page_builder | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect this vulnerability, you can scan your WordPress site for the presence of the vulnerable Colibri Page Builder plugin versions (up to 1.0.335). Specifically, look for pages or posts containing the 'colibri_loop' shortcode with suspicious or unexpected attributes that may include injected scripts. Since the vulnerability involves stored cross-site scripting via shortcode attributes, you can search the WordPress database for instances of the 'colibri_loop' shortcode containing script tags or suspicious JavaScript code. For example, you can run SQL queries on the WordPress database to find such content. A sample SQL command to detect suspicious shortcode usage might be: SELECT ID, post_title FROM wp_posts WHERE post_content LIKE '%[colibri_loop%<script%'; Additionally, you can use WP-CLI commands to search posts: wp post list --post_type=page --field=ID | xargs -I % wp post get % --field=post_content | grep -i '\[colibri_loop.*<script' To detect exploitation attempts on your network, monitor HTTP requests for POST or GET parameters containing the 'colibri_loop' shortcode with script injections. However, no specific detection commands are provided in the resources. [1]
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the Colibri Page Builder plugin for WordPress. It occurs via the 'colibri_loop' shortcode in versions up to 1.0.335 due to insufficient input sanitization and output escaping on user-supplied attributes. Authenticated users with contributor-level access or higher can inject malicious scripts into pages, which execute when other users view those pages.
How can this vulnerability impact me? :
An attacker with contributor-level access or higher can inject arbitrary web scripts into pages. These scripts execute in the context of users who visit the infected pages, potentially leading to theft of user credentials, session hijacking, defacement, or other malicious actions that compromise user security and site integrity.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Colibri Page Builder plugin to version 1.0.3.42 or later, as this update includes security improvements that fix the vulnerability by enforcing strict parsing and rendering of only registered WordPress shortcodes and sanitizing shortcode attributes. This update prevents execution of arbitrary or malicious content embedded outside legitimate shortcodes. Additionally, review and sanitize any existing content that may have been injected with malicious scripts via the 'colibri_loop' shortcode. Limit contributor-level access to trusted users to reduce risk of exploitation. [1]