CVE-2025-4968: 
WordPress vulnerability analysis and mitigation

The WPBakery Page Builder WordPress plugin is affected by a Stored Cross-Site Scripting (XSS) vulnerability in versions up to and including 8.4.1. The vulnerability exists across multiple Page Builder elements including Copyright Element, Hover Box, Separator With Text, FAQ, Single Image, Custom Header, Button, Call To Action, Progress Bar, Pie Chart, Round Chart, and Line Chart. This security issue was discovered and disclosed on July 23, 2025 (NVD).

The vulnerability stems from insufficient input sanitization and output escaping on user-supplied attributes in multiple Page Builder elements. The issue has been assigned a CVSS v3.1 base score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N, indicating that it can be exploited over the network with low attack complexity and requires low privileges (NVD, Wordfence).

When exploited, this vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever any user accesses the compromised page, potentially leading to session hijacking, credential theft, or other client-side attacks (NVD).

The vulnerability was addressed in version 8.5 of WPBakery Page Builder, released on June 17, 2025. Website administrators are strongly advised to update to this latest version to protect against this security issue (WPBakery KB).