CVE-2025-7502: 
WordPress vulnerability analysis and mitigation

The WPBakery Page Builder for WordPress plugin is affected by a Stored Cross-Site Scripting vulnerability (CVE-2025-7502) discovered on August 5, 2025. This vulnerability affects all versions up to and including 8.5 of the plugin. The issue stems from insufficient input sanitization and output escaping on user-supplied attributes in several shortcodes (NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The issue is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability specifically affects the shortcode handling mechanism in the plugin, where user input is not properly sanitized before being stored and displayed (NVD).

The vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page, potentially leading to unauthorized actions being performed on behalf of other users viewing the compromised pages (NVD).

The vulnerability was addressed in version 8.6 of WPBakery Page Builder, released on August 4, 2025. Users are advised to update to this version or later to protect against this security issue (WPBakery Release).