Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
PR:L confirmed by contributor-level requirement; UI:R assigned because stored payload only executes when a victim actively navigates to the injected page, consistent with NVD stored-XSS guidance.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Website Builder by SeedProd - Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's seedprodnestedmenuwidget shortcode in all versions up to, and including, 6.20.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Stored Cross-Site Scripting in the SeedProd Website Builder WordPress plugin (all versions through 6.20.2) allows authenticated contributors to inject persistent malicious JavaScript via unsanitized attributes of the seedprodnestedmenuwidget shortcode. Any user-including administrators-who subsequently visits an affected page will execute the attacker's script in their browser, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit code or CISA KEV listing is identified at time of analysis, but the contributor-level access bar lowers the threshold for abuse on multi-author WordPress sites.
Technical ContextAI
The vulnerability resides in the nested navigation menu widget shortcode handler within app/nestednavmenu.php of the SeedProd plugin (CPE: cpe:2.3:a:seedprod:website_builder_by_seedprod_-_theme_builder,_landing_page_builder,_coming_soon_page,_maintenance_mode:*:*:*:*:*:*:*:*). CWE-79 (Improper Neutralization of Input During Web Page Generation) describes the root cause: user-supplied shortcode attributes are neither sanitized on input nor escaped on output before being rendered into page HTML. The CVSS Scope:Changed metric confirms the vulnerability's reach crosses trust boundaries-from the WordPress application context into the browser context of any visiting user, which is the classic stored XSS escalation path.
RemediationAI
Update the SeedProd Website Builder plugin beyond version 6.20.2 immediately; an upstream fix is confirmed via WordPress Trac changeset 3565979 targeting coming-soon/trunk/app/nestednavmenu.php (https://plugins.trac.wordpress.org/changeset/3565979/coming-soon/trunk/app/nestednavmenu.php). The exact released patch version is not explicitly stated in available data - consult the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/ba751f98-f86c-451b-8a12-a2e9e76768e5 and the WordPress plugin repository for the confirmed fixed release. As a compensating control prior to patching, restrict the contributor role from being assigned to untrusted users, or disable shortcode rendering for contributor-tier content. Note that disabling contributor access site-wide may disrupt editorial workflows on multi-author sites.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210440
GHSA-jmjw-68vw-ffrj