CVE-2025-68598

MEDIUM
2025-12-24 [email protected]
5.4
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 24, 2025 - 13:16 nvd
MEDIUM 5.4

Tags

WordPress PHP XSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LiveComposer Page Builder: Live Composer live-composer-page-builder allows Stored XSS.This issue affects Page Builder: Live Composer: from n/a through <= 2.1.11.

Analysis

Stored cross-site scripting (XSS) in Live Composer page builder plugin for WordPress (versions through 2.1.11) allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of other users viewing affected pages. An attacker with contributor or editor access can store XSS payloads that persist in the database and execute when administrators or other site visitors interact with the affected content, potentially leading to session hijacking, credential theft, or malware distribution.

Technical Context

Live Composer (live-composer-page-builder) is a WordPress page builder plugin that processes user-generated page content. The vulnerability stems from improper input sanitization and output encoding during web page generation, classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The plugin fails to adequately neutralize user-supplied input containing JavaScript code before rendering it in the page editor or frontend display. Unlike reflected XSS which requires social engineering to distribute a malicious link, stored XSS persists in the WordPress database, making it a more severe threat vector affecting multiple users across multiple sessions.

Affected Products

Live Composer Page Builder (live-composer-page-builder) WordPress plugin versions from an unspecified baseline through and including version 2.1.11. The plugin is distributed through the WordPress plugin repository and installed on WordPress sites as a page builder tool. Administrators should verify their installed version against the affected range; the vendor advisory at patchstack.com provides detailed version information and affected component scope.

Remediation

Update the Live Composer page builder plugin to the latest patched version released after 2.1.11, as confirmed in the vendor security advisory at patchstack.com/database/Wordpress/Plugin/live-composer-page-builder. Site administrators should immediately update all affected installations through the WordPress plugin management interface. As an interim mitigation, restrict page builder access to trusted administrator-level users only by adjusting WordPress user role capabilities, reducing the attack surface to authenticated contributors and editors who might inject XSS payloads. Review any pages created or edited by lower-privilege users for suspicious JavaScript or iframe injection before the patch is applied.

Priority Score

27
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +27
POC: 0

Share

CVE-2025-68598 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy