{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11814", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-15T16:02:10.354Z", "datePublished": "2025-10-16T04:27:14.576Z", "dateUpdated": "2026-04-08T16:40:57.708Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:40:57.708Z"}, "affected": [{"vendor": "Brainstorm Force", "product": "Ultimate Addons for WPBakery", "versions": [{"version": "0", "status": "affected", "lessThan": "3.21.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Ultimate Addons for WPBakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to 3.21.1 (exclusive) due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Ultimate Addons for WPBakery Page Builder < 3.21.1 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1f41101c-c54f-4e97-a0fb-79a17d5f0929?source=cve"}, {"url": "https://patchstack.com/database/wordpress/plugin/ultimate_vc_addons/vulnerability/wordpress-ultimate-addons-for-wpbakery-page-builder-plugin-3-21-1-cross-site-scripting-xss-vulnerability"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Matthew Rollings"}], "timeline": [{"time": "2025-10-15T16:17:10.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-10-10T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-16T14:33:07.818604Z", "id": "CVE-2025-11814", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-16T14:35:29.584Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11814", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-16T14:33:07.818604Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-16T14:35:20.274Z"}}], "cna": {"title": "Ultimate Addons for WPBakery Page Builder < 3.21.1 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Matthew Rollings"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "Brainstorm Force", "product": "Ultimate Addons for WPBakery", "versions": [{"status": "affected", "version": "*", "lessThan": "3.21.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-15T16:17:10.000+00:00", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-10-10T00:00:00.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1f41101c-c54f-4e97-a0fb-79a17d5f0929?source=cve"}, {"url": "https://patchstack.com/database/wordpress/plugin/ultimate_vc_addons/vulnerability/wordpress-ultimate-addons-for-wpbakery-page-builder-plugin-3-21-1-cross-site-scripting-xss-vulnerability"}], "descriptions": [{"lang": "en", "value": "The Ultimate Addons for WPBakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to 3.21.1 (exclusive) due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-10-16T04:27:14.576Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11814", "state": "PUBLISHED", "dateUpdated": "2025-10-16T14:35:29.584Z", "dateReserved": "2025-10-15T16:02:10.354Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-16T04:27:14.576Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Ultimate Addons for WPBakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to 3.21.1 (exclusive) due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-11814", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-16T05:15:36.880", "references": [{"source": "security@wordfence.com", "url": "https://patchstack.com/database/wordpress/plugin/ultimate_vc_addons/vulnerability/wordpress-ultimate-addons-for-wpbakery-page-builder-plugin-3-21-1-cross-site-scripting-xss-vulnerability"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1f41101c-c54f-4e97-a0fb-79a17d5f0929?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T10:37:28.503201+00:00", "value": {"mitigation_remediation": ["Upgrade the Ultimate Addons for WPBakery plugin to version 3.21.1 or newer", "If an upgrade cannot be performed, disable or uninstall the plugin", "Deploy a web application firewall or security plugin configured to block or filter malicious script payloads"], "summary": {"action": "Patch Now", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All versions of the Ultimate Addons for WPBakery plugin for WordPress prior to 3.21.1, maintained by Brainstorm Force, are affected. Sites running WordPress with the WPBakery Page Builder and the plugin installed and active are at risk.", "description_and_impact": "The Ultimate Addons for WPBakery plugin has a stored cross\u2011site scripting flaw caused by insufficient input sanitization and output escaping. A malicious payload can be stored in a writable field and executed automatically in the browsers of any user who visits the affected page, allowing the attacker to run arbitrary client\u2011side code. The CVE description does not specify additional consequences such as credential theft or session hijacking.", "risk_and_exploitability": "The CVSS score of 6.4 classifies the issue as moderate severity, and the EPSS score of less than 1% suggests that exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. Attackers can inject a malicious payload via a writable field in the plugin\u2014even without authentication\u2014so no prior credentials are required. Once stored, the script is delivered to every visitor of the page, resulting in arbitrary client\u2011side code execution."}}}}, "created": "2025-10-21T09:40:50.073787+00:00", "updated": "2026-04-28T10:45:29.418797+00:00", "vendors": ["brainstormforce", "brainstormforce$PRODUCT$ultimate_addons_for_wpbakery_page_builder", "wordpress", "wordpress$PRODUCT$wordpress"]}