CVE-2020-28650: 
WordPress vulnerability analysis and mitigation

The WPBakery Page Builder WordPress plugin (before version 6.4.1) contained an Authenticated Stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2020-28650. The vulnerability was discovered and disclosed in October 2020, affecting over 4 million WordPress sites. The security flaw exists because the plugin calls ksesremovefilters to disable the standard WordPress XSS protection mechanism for the Author and Contributor roles (Wordfence Blog).

The vulnerability has been assigned a CVSS v3.1 base score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The security flaw is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability allows low-privileged users, such as contributors, to inject malicious JavaScript into posts by bypassing WordPress's built-in XSS protection mechanisms (NVD, WPScan).

When exploited, this vulnerability allows authenticated users with contributor-level access or higher to inject malicious JavaScript code into posts. This could lead to the execution of unauthorized scripts in users' browsers when viewing affected content, potentially compromising user data or performing actions on behalf of authenticated users (Wordfence Blog).

The vulnerability was patched in WPBakery Page Builder version 6.4.1. Site administrators are strongly advised to update to this version or later to mitigate the security risk (WPScan).