Skip to main content

WPBakery Page Builder

23 CVEs wordpress

Monthly

CVE-2026-45436 MEDIUM This Month

Broken access control in WPBakery Page Builder (versions ≤ 8.7.2) allows subscriber-level authenticated WordPress users to invoke privileged functionality without proper authorization checks. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N) confirms this is network-exploitable with low complexity and high integrity impact, meaning authenticated low-privilege users can perform content or administrative actions restricted to higher roles such as editor or administrator. No public exploit has been identified at time of analysis and this vulnerability is not listed in CISA KEV, but WPBakery Page Builder's broad WordPress deployment footprint makes this a real remediation priority for sites with open user registration.

Authentication Bypass Wpbakery Page Builder WPBakery Page Builder
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2025-7502 MEDIUM This Month

The WPBakery Page Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several shortcodes in all versions up to, and including, 8.5 due to insufficient input. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS Page Builder PHP WPBakery Page Builder
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-4965 MEDIUM This Month

The WPBakery Page Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Grid Builder feature in all versions up to, and including, 8.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS Page Builder PHP WPBakery Page Builder
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2024-13592 HIGH This Week

The Team Builder For WPBakery Page Builder(Formerly Visual Composer) plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0 via the 'team-builder-vc'. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure PHP RCE LFI WordPress +2
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2024-13591 MEDIUM This Month

The Team Builder For WPBakery Page Builder(Formerly Visual Composer) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'team-builder-vc' shortcode in all versions up. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS Team Builder For Wpbakery Page Builder WPBakery Page Builder
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2024-10172 MEDIUM This Month

The WPBakery Visual Composer WHMCS Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's void_wbwhmcse_laouts_search shortcode in all versions up to, and. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS WordPress Wpbakery Visual Composer Whmcs Elements WPBakery Page Builder
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2024-43953 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webcodingplace Classic Addons - WPBakery Page Builder classic-addons-wpbakery-page-builder-addons. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS WPBakery Page Builder
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2024-5255 MEDIUM This Month

The Ultimate Addons for WPBakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ultimate_dual_color shortcode in all versions up to, and including, 3.19.20 due to. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS WordPress Ultimate Addons For Wpbakery Page Builder WPBakery Page Builder
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2024-5254 MEDIUM This Month

The Ultimate Addons for WPBakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ultimate_info_banner shortcode in all versions up to, and including, 3.19.20 due to. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS WordPress Ultimate Addons For Wpbakery Page Builder WPBakery Page Builder
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2024-5253 MEDIUM This Month

The Ultimate Addons for WPBakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ult_team shortcode in all versions up to, and including, 3.19.20 due to. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS WordPress Ultimate Addons For Wpbakery Page Builder WPBakery Page Builder
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2024-5252 MEDIUM This Month

The Ultimate Addons for WPBakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ultimate_info_table shortcode in all versions up to, and including, 3.19.20 due to. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS WordPress Ultimate Addons For Wpbakery Page Builder WPBakery Page Builder
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2024-5251 MEDIUM This Month

The Ultimate Addons for WPBakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ultimate_pricing shortcode in all versions up to, and including, 3.19.20 due to. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS WordPress Ultimate Addons For Wpbakery Page Builder WPBakery Page Builder
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2024-5265 MEDIUM This Month

The WPBakery Visual Composer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the link attribute within the vc_single_image shortcode in all versions up to, and including, 7.6. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS WordPress Wpbakery Page Builder Clipboard WPBakery Page Builder
NVD
CVSS 3.1
6.4
EPSS
0.6%
CVE-2024-1842 MEDIUM This Month

The wpbakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom Heading tag attribute in all versions up to, and including, 7.5 due to insufficient input sanitization. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS WordPress Page Builder WPBakery Page Builder
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2024-1841 MEDIUM This Month

The wpbakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Title tag attribute in all versions up to, and including, 7.5 due to insufficient input sanitization and. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS WordPress Page Builder WPBakery Page Builder
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2024-1840 MEDIUM This Month

The wpbakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Author tag attribute in all versions up to, and including, 7.5 due to insufficient input sanitization and. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS WordPress Page Builder WPBakery Page Builder
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2024-1805 MEDIUM This Month

The wpbakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the button onclick attribute in all versions up to, and including, 7.5 due to insufficient input sanitization and. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS WordPress Page Builder WPBakery Page Builder
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2024-2079 MEDIUM PATCH This Month

The WPBakery Page Builder Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'per_line_mobile' shortcode in all versions up to, and including, 3.8.1. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Wpbakery Page Builder Addons WPBakery Page Builder
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2023-6925 HIGH This Week

The Unlimited Addons for WPBakery Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation on the 'importZipFile' function in versions up to,. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE WordPress File Upload Unlimited Addons For Wpbakery Page Builder WPBakery Page Builder
NVD VulDB
CVSS 3.1
7.2
EPSS
3.0%
CVE-2023-5235 HIGH This Week

The Ovic Responsive WPBakery WordPress plugin before 1.2.9 does not limit which options can be updated via some of its AJAX actions, which may allow attackers with a subscriber+ account to update. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization WordPress Ovic Responsive Wpbakery WPBakery Page Builder
NVD WPScan
CVSS 3.1
8.8
EPSS
0.6%
CVE-2023-51402 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Brain Storm Force Ultimate Addons for WPBakery Page Builder.19.17. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Ultimate Addons For Wpbakery Page Builder WPBakery Page Builder
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2023-50370 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Livemesh WPBakery Page Builder Addons by Livemesh allows Stored XSS.5. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Wpbakery Page Builder Addons WPBakery Page Builder
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2022-4501 HIGH PATCH This Week

The Mega Addons plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the vc_saving_data function in versions up to, and including, 4.3.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

WordPress Authentication Bypass Mega Addons For Wpbakery Page Builder WPBakery Page Builder
NVD VulDB
CVSS 3.1
7.1
EPSS
0.1%
EPSS 0% CVSS 6.5
MEDIUM This Month

Broken access control in WPBakery Page Builder (versions ≤ 8.7.2) allows subscriber-level authenticated WordPress users to invoke privileged functionality without proper authorization checks. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N) confirms this is network-exploitable with low complexity and high integrity impact, meaning authenticated low-privilege users can perform content or administrative actions restricted to higher roles such as editor or administrator. No public exploit has been identified at time of analysis and this vulnerability is not listed in CISA KEV, but WPBakery Page Builder's broad WordPress deployment footprint makes this a real remediation priority for sites with open user registration.

Authentication Bypass Wpbakery Page Builder WPBakery Page Builder
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The WPBakery Page Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several shortcodes in all versions up to, and including, 8.5 due to insufficient input. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS Page Builder +2
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The WPBakery Page Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Grid Builder feature in all versions up to, and including, 8.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS Page Builder +2
NVD
EPSS 0% CVSS 7.5
HIGH This Week

The Team Builder For WPBakery Page Builder(Formerly Visual Composer) plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0 via the 'team-builder-vc'. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure PHP RCE +4
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Team Builder For WPBakery Page Builder(Formerly Visual Composer) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'team-builder-vc' shortcode in all versions up. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS Team Builder For Wpbakery Page Builder +1
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The WPBakery Visual Composer WHMCS Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's void_wbwhmcse_laouts_search shortcode in all versions up to, and. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS WordPress Wpbakery Visual Composer Whmcs Elements +1
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webcodingplace Classic Addons - WPBakery Page Builder classic-addons-wpbakery-page-builder-addons. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS WPBakery Page Builder
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

The Ultimate Addons for WPBakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ultimate_dual_color shortcode in all versions up to, and including, 3.19.20 due to. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS WordPress Ultimate Addons For Wpbakery Page Builder +1
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Ultimate Addons for WPBakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ultimate_info_banner shortcode in all versions up to, and including, 3.19.20 due to. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS WordPress Ultimate Addons For Wpbakery Page Builder +1
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Ultimate Addons for WPBakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ult_team shortcode in all versions up to, and including, 3.19.20 due to. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS WordPress Ultimate Addons For Wpbakery Page Builder +1
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Ultimate Addons for WPBakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ultimate_info_table shortcode in all versions up to, and including, 3.19.20 due to. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS WordPress Ultimate Addons For Wpbakery Page Builder +1
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Ultimate Addons for WPBakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ultimate_pricing shortcode in all versions up to, and including, 3.19.20 due to. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS WordPress Ultimate Addons For Wpbakery Page Builder +1
NVD
EPSS 1% CVSS 6.4
MEDIUM This Month

The WPBakery Visual Composer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the link attribute within the vc_single_image shortcode in all versions up to, and including, 7.6. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS WordPress Wpbakery Page Builder Clipboard +1
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The wpbakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom Heading tag attribute in all versions up to, and including, 7.5 due to insufficient input sanitization. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS WordPress Page Builder +1
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The wpbakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Title tag attribute in all versions up to, and including, 7.5 due to insufficient input sanitization and. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS WordPress Page Builder +1
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The wpbakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Author tag attribute in all versions up to, and including, 7.5 due to insufficient input sanitization and. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS WordPress Page Builder +1
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The wpbakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the button onclick attribute in all versions up to, and including, 7.5 due to insufficient input sanitization and. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS WordPress Page Builder +1
NVD
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

The WPBakery Page Builder Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'per_line_mobile' shortcode in all versions up to, and including, 3.8.1. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Wpbakery Page Builder Addons +1
NVD
EPSS 3% CVSS 7.2
HIGH This Week

The Unlimited Addons for WPBakery Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation on the 'importZipFile' function in versions up to,. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE WordPress File Upload +2
NVD VulDB
EPSS 1% CVSS 8.8
HIGH This Week

The Ovic Responsive WPBakery WordPress plugin before 1.2.9 does not limit which options can be updated via some of its AJAX actions, which may allow attackers with a subscriber+ account to update. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization WordPress Ovic Responsive Wpbakery +1
NVD WPScan
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Brain Storm Force Ultimate Addons for WPBakery Page Builder.19.17. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Ultimate Addons For Wpbakery Page Builder WPBakery Page Builder
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Livemesh WPBakery Page Builder Addons by Livemesh allows Stored XSS.5. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Wpbakery Page Builder Addons WPBakery Page Builder
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

The Mega Addons plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the vc_saving_data function in versions up to, and including, 4.3.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

WordPress Authentication Bypass Mega Addons For Wpbakery Page Builder +1
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy