CVE-2025-14054
Stored XSS in WC Builder WooCommerce Plugin Allows Script Injection
Publication date: 2025-12-21
Last updated on: 2025-12-21
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | wc_builder | * |
| wordpress | wordpress | * |
| wpbakery | page_builder | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the WC Builder β WooCommerce Page Builder for WPBakery plugin for WordPress. It occurs via the 'heading_color' parameter and multiple other styling parameters of the 'wpbforwpbakery_product_additional_information' shortcode in versions up to 1.2.0. Due to insufficient input sanitization and output escaping, authenticated attackers with Shop Manager-level access or higher can inject arbitrary web scripts into pages. These scripts execute whenever a user accesses the injected page, potentially compromising user data or site integrity. [4]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with Shop Manager-level access or higher to inject malicious scripts into WooCommerce product pages. When other users visit these pages, the injected scripts execute in their browsers, potentially leading to theft of sensitive information, session hijacking, or unauthorized actions performed on behalf of the user. This can compromise the security and trustworthiness of your website and its users. [4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect this vulnerability on your system, you can check if the WC Builder β WooCommerce Page Builder for WPBakery plugin is installed and its version is 1.2.0 or below, as these versions are vulnerable. You can verify the plugin version via WordPress admin dashboard or by checking the plugin files. Additionally, you can search for the presence of the shortcode `[wpbforwpbakery_product_additional_information]` in your WordPress pages or posts, which is the vector for the vulnerability. There are no specific network commands provided to detect exploitation attempts, but reviewing pages that use this shortcode for injected scripts or unusual styling parameters may help. For example, you can use WP-CLI commands to list plugin versions: `wp plugin list` and grep for wc-builder or similar. Also, searching the database for the shortcode usage: `wp search-replace --dry-run '[wpbforwpbakery_product_additional_information' ''` or querying the posts table for the shortcode. Manual inspection of pages with this shortcode for suspicious scripts in the heading_color or other styling parameters can help detect exploitation. [1, 4]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the WC Builder β WooCommerce Page Builder for WPBakery plugin to version 1.2.1 or later, where the vulnerability is fixed by implementing comprehensive sanitization of CSS values and custom classes to prevent stored XSS attacks. If updating is not immediately possible, restrict Shop Manager-level access and above to trusted users only, as the vulnerability requires authenticated users with such privileges to exploit. Additionally, review and sanitize any existing content using the vulnerable shortcode to remove potentially malicious scripts. Applying web application firewall (WAF) rules to block suspicious input in styling parameters may also help as a temporary measure. [3]