CVE-2025-10006: 
WordPress vulnerability analysis and mitigation

The WPBakery Page Builder plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability (CVE-2025-10006) discovered on October 18, 2025. The vulnerability affects all versions up to and including 8.6 and is specifically related to the plugin's 'revslidervc' shortcode. This security issue exists due to insufficient input sanitization and output escaping on user-supplied attributes (NVD).

The vulnerability is classified with a CVSS v3.1 Base Score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The security flaw is specifically tied to the 'revslidervc' shortcode functionality and requires the RevSlider plugin to be installed alongside WPBakery Page Builder for exploitation. The vulnerability is categorized as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

When exploited, this vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to data theft, session hijacking, or other client-side attacks (NVD).

The vulnerability was addressed in WPBakery Page Builder version 8.7.1, released on October 16, 2025. Users are advised to update to this version or later to protect against this security issue. The update includes fixes for the text block toolbar and various other security improvements (WPBakery KB).