Website Builder By Seedprod Theme Builder Landing Page Builder Coming Soon Page Maintenance Mode
Monthly
Stored Cross-Site Scripting in the SeedProd Website Builder WordPress plugin (all versions through 6.20.2) allows authenticated contributors to inject persistent malicious JavaScript via unsanitized attributes of the `seedprodnestedmenuwidget` shortcode. Any user-including administrators-who subsequently visits an affected page will execute the attacker's script in their browser, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit code or CISA KEV listing is identified at time of analysis, but the contributor-level access bar lowers the threshold for abuse on multi-author WordPress sites.
Stored Cross-Site Scripting in the SeedProd Website Builder WordPress plugin (all versions through 6.20.2) allows authenticated contributors to inject persistent malicious JavaScript via unsanitized attributes of the `seedprodnestedmenuwidget` shortcode. Any user-including administrators-who subsequently visits an affected page will execute the attacker's script in their browser, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit code or CISA KEV listing is identified at time of analysis, but the contributor-level access bar lowers the threshold for abuse on multi-author WordPress sites.