Envision Page Builder
Monthly
DOM-Based Cross-Site Scripting in the Envision Page Builder WordPress plugin (versions through 0.22) allows low-privileged authenticated attackers to inject and execute malicious JavaScript in victim browsers via unsanitized page builder input. The scope change (S:C) in the CVSS vector confirms the payload escapes the plugin's own context and can affect the broader WordPress environment, including the admin panel. No public exploit code or active exploitation has been identified at time of analysis, but the stored-or-reflected DOM injection path makes this a realistic avenue for session hijacking or privilege escalation within WordPress installations.
DOM-Based Cross-Site Scripting in the Envision Page Builder WordPress plugin (versions through 0.22) allows low-privileged authenticated attackers to inject and execute malicious JavaScript in victim browsers via unsanitized page builder input. The scope change (S:C) in the CVSS vector confirms the payload escapes the plugin's own context and can affect the broader WordPress environment, including the admin panel. No public exploit code or active exploitation has been identified at time of analysis, but the stored-or-reflected DOM injection path makes this a realistic avenue for session hijacking or privilege escalation within WordPress installations.