CVE-2025-9353: 
WordPress vulnerability analysis and mitigation

The Themify Builder plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-9353) affecting all versions up to and including 7.6.9. The vulnerability was discovered on September 24, 2025 and is due to insufficient input sanitization and output escaping (NVD).

The vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The issue is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

When exploited, this vulnerability allows attackers to inject malicious scripts that execute in users' browsers when they visit affected pages. This could lead to theft of sensitive information, session hijacking, or other client-side attacks against site visitors (NVD).

The vulnerability was partially patched in version 7.6.9 of the Themify Builder plugin. Users are advised to update to the latest version available. No other workarounds have been publicly documented (NVD).