CVE-2025-48088

2025-10-27 [email protected]
WordPress PHP XSS

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Oct 27, 2025 - 03:15 nvd
N/A

DescriptionNVD

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brainstorm_Force Ultimate Addons for WPBakery Page Builder ultimate_vc_addons allows Stored XSS.This issue affects Ultimate Addons for WPBakery Page Builder: from n/a through < 3.21.1.

AnalysisAI

Stored Cross-Site Scripting (XSS) in Ultimate Addons for WPBakery Page Builder allows unauthenticated attackers to inject malicious scripts into web pages through improper input neutralization. The vulnerability affects versions prior to 3.21.1, enabling attackers to execute arbitrary JavaScript in the browsers of site visitors, potentially leading to session hijacking, credential theft, or malware distribution. No public exploit code has been identified at the time of analysis, and real-world exploitation probability is minimal (EPSS 0.02%).

Technical ContextAI

The vulnerability stems from improper neutralization of user-supplied input during dynamic web page generation, classified as CWE-79 (Cross-site Scripting). Ultimate Addons for WPBakery Page Builder is a WordPress plugin (CPE: wordpress_plugin/ultimate_vc_addons) that extends WPBakery's page builder functionality. The plugin fails to properly sanitize or escape user input before rendering it in page output, allowing attackers to inject stored XSS payloads that persist in the WordPress database and execute whenever the affected content is viewed. This is a common vulnerability class in WordPress plugins due to insufficient use of WordPress sanitization and escaping functions such as wp_kses_post() or esc_html().

Affected ProductsAI

Ultimate Addons for WPBakery Page Builder (WordPress plugin ultimate_vc_addons) versions prior to 3.21.1 are affected. The vulnerability impacts all installations of the plugin from its initial release through version 3.21.0. Additional details and the vendor advisory are available at https://patchstack.com/database/Wordpress/Plugin/ultimate_vc_addons/vulnerability/wordpress-ultimate-addons-for-wpbakery-page-builder-plugin-3-21-1-cross-site-scripting-xss-vulnerability.

RemediationAI

Vendor-released patch: Ultimate Addons for WPBakery Page Builder version 3.21.1 or later. Site administrators should update the plugin immediately via the WordPress admin dashboard (Plugins > Updates) or manually download the patched version from the WordPress plugin repository. Ensure the WPBakery Page Builder parent plugin is also kept current, as compatibility between versions is essential. After updating, audit any page content created with the affected plugin versions for stored XSS payloads, particularly in custom fields or user-submitted content areas. For additional security guidance, consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/ultimate_vc_addons/vulnerability/wordpress-ultimate-addons-for-wpbakery-page-builder-plugin-3-21-1-cross-site-scripting-xss-vulnerability.

Share

CVE-2025-48088 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy