CVE-2025-48276: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in Visual Composer Website Builder plugin versions through 45.11.0. The vulnerability was identified on May 19, 2025, and assigned CVE-2025-48276. This security issue affects the Visual Composer Website Builder WordPress plugin and requires contributor-level privileges to exploit (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') issue. It has been assigned a CVSS v3.1 base score of 6.5 (Medium), with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The vulnerability is categorized under CWE-79 and requires low attack complexity with network-based attack vector (NVD).

This vulnerability could allow a malicious actor to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when guests visit the affected site. The impact is considered low severity but could affect website integrity and user experience (Patchstack).

The vulnerability has been patched in version 45.12.0 of the Visual Composer Website Builder plugin. Users are advised to update to version 45.12.0 or later to remove the vulnerability. The security issue has a low severity impact and is considered unlikely to be exploited (Patchstack).