CVE-2025-4968: 
WordPress vulnerability analysis and mitigation

The WPBakery Page Builder for WordPress plugin is affected by a Stored Cross-Site Scripting vulnerability (CVE-2025-4968) discovered in July 2025. The vulnerability affects multiple Page Builder elements including Copyright Element, Hover Box, Separator With Text, FAQ, Single Image, Custom Header, Button, Call To Action, Progress Bar, Pie Chart, Round Chart, and Line Chart in versions up to and including 8.4.1. This security issue stems from insufficient input sanitization and output escaping on user-supplied attributes (NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-site Scripting). The technical root cause is related to insufficient input sanitization and output escaping mechanisms in multiple Page Builder elements (NVD, Wordfence).

The vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page. This could potentially lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the visiting user's browser (NVD).

The vulnerability was addressed in version 8.5 of WPBakery Page Builder, released on June 17, 2025. Users are advised to update to this version or later to protect against this vulnerability. The update includes various security improvements and fixes for the vulnerability (WPBakery).