{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11376", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-06T15:39:21.973Z", "datePublished": "2025-12-13T04:31:23.715Z", "dateUpdated": "2026-04-08T16:46:38.530Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:46:38.530Z"}, "affected": [{"vendor": "extendthemes", "product": "Colibri Page Builder", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.335", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'colibri_loop' shortcode in all versions up to, and including, 1.0.335 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Colibri Page Builder <= 1.0.335 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/38eaf4be-5083-46fe-b586-e4be190dc9cc?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3377192%40colibri-page-builder&new=3377192%40colibri-page-builder&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Rafshanzani Suhada"}], "timeline": [{"time": "2025-12-12T15:37:12.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-15T15:43:38.095877Z", "id": "CVE-2025-11376", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T15:48:17.772Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11376", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-15T15:43:38.095877Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T15:43:39.199Z"}}], "cna": {"title": "Colibri Page Builder <= 1.0.335 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Rafshanzani Suhada"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "extendthemes", "product": "Colibri Page Builder", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.335"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-12T15:37:12.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/38eaf4be-5083-46fe-b586-e4be190dc9cc?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3377192%40colibri-page-builder&new=3377192%40colibri-page-builder&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'colibri_loop' shortcode in all versions up to, and including, 1.0.335 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:46:38.530Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11376", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:46:38.530Z", "dateReserved": "2025-10-06T15:39:21.973Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-13T04:31:23.715Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'colibri_loop' shortcode in all versions up to, and including, 1.0.335 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-11376", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-13T16:16:45.293", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3377192%40colibri-page-builder&new=3377192%40colibri-page-builder&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/38eaf4be-5083-46fe-b586-e4be190dc9cc?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T12:14:58.408571+00:00", "value": {"mitigation_remediation": ["Update Colibri Page Builder to version 1.0.336 or later from ExtendThemes to remove the vulnerability.", "If an update is not possible, temporarily deactivate or uninstall the plugin so the vulnerable shortcode cannot be used.", "Review and restrict contributor access on the WordPress site, ensuring that only trusted users have publishing rights that could exploit the shortcode.", "Consider implementing a Web Application Firewall or security plugin that detects and blocks injected JavaScript."], "summary": {"action": "Immediate Patch", "impact": "Stored XSS"}, "threat_synthesis": {"affected_systems": "ExtendThemes\u2019 Colibri Page Builder plugin is affected. All WordPress sites running any version up to and including 1.0.335 are vulnerable. The issue exists regardless of theme or other plugins, as the flaw is confined to the shortcode handling within Colibri Page Builder.", "description_and_impact": "The Colibri Page Builder plugin contains a stored cross\u2011site scripting flaw in the \"colibri_loop\" shortcode, caused by insufficient input sanitization and output escaping of user\u2011supplied attributes. Attackers who can authenticate to the WordPress site with contributor\u2011level or higher privileges can embed arbitrary JavaScript that is persisted in the page content. When a visitor loads the affected page, the script executes in their browser, potentially allowing defacement, cookie theft, or phishing. This vulnerability directly enables an attacker to inject malicious code that runs with the authority of the viewing user, compromising confidentiality and integrity on the site.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a medium\u2011severity issue, while the EPSS score of less than 1% suggests a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog, indicating no known large\u2011scale exploitation. Exploitation requires an authenticated user with at least contributor access, which most content editors have. The stored nature of the flaw means that once the malicious code is injected, it remains effective for all visitors, so an attacker can compromise the site\u2019s visitors even after the initial injection. Given the combination of moderate severity and low exploitation likelihood, timely patching is recommended to mitigate potential future exploitation."}}}}, "created": "2025-12-14T21:14:48.401808+00:00", "updated": "2026-04-22T12:15:16.040495+00:00", "vendors": ["extendthemes", "extendthemes$PRODUCT$colibri_page_builder", "wordpress", "wordpress$PRODUCT$wordpress"]}