CVE-2025-54747: 
WordPress vulnerability analysis and mitigation

A Cross-Site Scripting (XSS) vulnerability was discovered in WPBakery's Templatera WordPress plugin versions 2.3.0 and below, identified as CVE-2025-54747. The vulnerability was reported on July 30, 2025, and publicly disclosed on August 14, 2025. This security issue allows for improper neutralization of input during web page generation, specifically enabling DOM-Based XSS attacks (Patchstack).

The vulnerability has been assigned a CVSS score of 6.5, indicating a low to moderate severity level. The attack vector is characterized by CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, suggesting network-based attack vectors with low attack complexity. The vulnerability requires Contributor or higher privilege level for exploitation (Wordfence).

If exploited, this vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when visitors access the affected site (Patchstack).

The vulnerability has been patched in version 2.4.0 of the Templatera plugin. Users are advised to update to version 2.4.0 or later to remove the vulnerability. For additional protection, Patchstack users can enable auto-update functionality for vulnerable plugins (Patchstack).