Skip to main content

SeedProd Website Builder CVE-2025-14785

| EUVDEUVD-2025-210440 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-08 Wordfence GHSA-jmjw-68vw-ffrj
6.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

PR:L confirmed by contributor-level requirement; UI:R assigned because stored payload only executes when a victim actively navigates to the injected page, consistent with NVD stored-XSS guidance.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 08, 2026 - 12:48 vuln.today
CVE Published
Jul 08, 2026 - 11:30 nvd
MEDIUM 6.4

DescriptionCVE.org

The Website Builder by SeedProd - Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's seedprodnestedmenuwidget shortcode in all versions up to, and including, 6.20.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored Cross-Site Scripting in the SeedProd Website Builder WordPress plugin (all versions through 6.20.2) allows authenticated contributors to inject persistent malicious JavaScript via unsanitized attributes of the seedprodnestedmenuwidget shortcode. Any user-including administrators-who subsequently visits an affected page will execute the attacker's script in their browser, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit code or CISA KEV listing is identified at time of analysis, but the contributor-level access bar lowers the threshold for abuse on multi-author WordPress sites.

Technical ContextAI

The vulnerability resides in the nested navigation menu widget shortcode handler within app/nestednavmenu.php of the SeedProd plugin (CPE: cpe:2.3:a:seedprod:website_builder_by_seedprod_-_theme_builder,_landing_page_builder,_coming_soon_page,_maintenance_mode:*:*:*:*:*:*:*:*). CWE-79 (Improper Neutralization of Input During Web Page Generation) describes the root cause: user-supplied shortcode attributes are neither sanitized on input nor escaped on output before being rendered into page HTML. The CVSS Scope:Changed metric confirms the vulnerability's reach crosses trust boundaries-from the WordPress application context into the browser context of any visiting user, which is the classic stored XSS escalation path.

RemediationAI

Update the SeedProd Website Builder plugin beyond version 6.20.2 immediately; an upstream fix is confirmed via WordPress Trac changeset 3565979 targeting coming-soon/trunk/app/nestednavmenu.php (https://plugins.trac.wordpress.org/changeset/3565979/coming-soon/trunk/app/nestednavmenu.php). The exact released patch version is not explicitly stated in available data - consult the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/ba751f98-f86c-451b-8a12-a2e9e76768e5 and the WordPress plugin repository for the confirmed fixed release. As a compensating control prior to patching, restrict the contributor role from being assigned to untrusted users, or disable shortcode rendering for contributor-tier content. Note that disabling contributor access site-wide may disrupt editorial workflows on multi-author sites.

Share

CVE-2025-14785 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy