CVE-2025-46488: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was identified in the WordPress Visual Builder plugin affecting versions through 1.2.2. The vulnerability was discovered by researcher astra.r3verii and was assigned CVE-2025-46488 on April 24, 2025. The issue allows for Reflected XSS attacks due to broken access control in the plugin (Patchstack).

The vulnerability is classified as a Broken Access Control issue, which stems from missing authorization, authentication, or nonce token checks in certain functions. This allows unprivileged users to execute higher privileged actions. The vulnerability has been assigned a CVSS score of 7.1, categorizing it as a medium severity issue. The vulnerability falls under the OWASP Top 10 category A1: Broken Access Control (Patchstack).

The vulnerability is considered moderately dangerous and is expected to become exploited. It allows unprivileged users to perform actions that should be restricted to users with higher privileges, potentially compromising the security of affected WordPress installations (Patchstack).

The vulnerability has been fixed in Visual Builder version 1.3. Users are advised to update to version 1.3 or later immediately to resolve the vulnerability. Additionally, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).