{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14054", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-04T17:49:44.131Z", "datePublished": "2025-12-21T02:20:32.034Z", "dateUpdated": "2026-04-08T16:51:43.741Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:51:43.741Z"}, "affected": [{"vendor": "hasthemes", "product": "WC Builder \u2013 WooCommerce Page Builder for WPBakery", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WC Builder \u2013 WooCommerce Page Builder for WPBakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'heading_color' parameter (and multiple other styling parameters) of the `wpbforwpbakery_product_additional_information` shortcode in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "WC Builder <= 1.2.0 - Authenticated (Shop Manager+) Stored Cross-Site Scripting via 'heading_color' Shortcode Attribute", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4e4fe4b6-cc1e-40be-bd2e-bf2745244892?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wc-builder/trunk/includes/addons/product_additional_information.php#L33"}, {"url": "https://plugins.trac.wordpress.org/browser/wc-builder/tags/1.2.0/includes/addons/product_additional_information.php#L33"}, {"url": "https://plugins.trac.wordpress.org/changeset/3419217/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Djaidja Moundjid"}], "timeline": [{"time": "2025-12-04T18:07:21.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-12-20T14:13:49.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-22T20:24:41.657038Z", "id": "CVE-2025-14054", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-22T20:24:48.286Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14054", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-22T20:24:41.657038Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-22T20:24:44.676Z"}}], "cna": {"title": "WC Builder <= 1.2.0 - Authenticated (Shop Manager+) Stored Cross-Site Scripting via 'heading_color' Shortcode Attribute", "credits": [{"lang": "en", "type": "finder", "value": "Djaidja Moundjid"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "hasthemes", "product": "WC Builder \u2013 WooCommerce Page Builder for WPBakery", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.2.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-04T18:07:21.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-12-20T14:13:49.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4e4fe4b6-cc1e-40be-bd2e-bf2745244892?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wc-builder/trunk/includes/addons/product_additional_information.php#L33"}, {"url": "https://plugins.trac.wordpress.org/browser/wc-builder/tags/1.2.0/includes/addons/product_additional_information.php#L33"}, {"url": "https://plugins.trac.wordpress.org/changeset/3419217/"}], "descriptions": [{"lang": "en", "value": "The WC Builder \u2013 WooCommerce Page Builder for WPBakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'heading_color' parameter (and multiple other styling parameters) of the `wpbforwpbakery_product_additional_information` shortcode in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:51:43.741Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14054", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:51:43.741Z", "dateReserved": "2025-12-04T17:49:44.131Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-21T02:20:32.034Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WC Builder \u2013 WooCommerce Page Builder for WPBakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'heading_color' parameter (and multiple other styling parameters) of the `wpbforwpbakery_product_additional_information` shortcode in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-14054", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-21T03:15:52.307", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wc-builder/tags/1.2.0/includes/addons/product_additional_information.php#L33"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wc-builder/trunk/includes/addons/product_additional_information.php#L33"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3419217/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4e4fe4b6-cc1e-40be-bd2e-bf2745244892?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T00:08:58.227381+00:00", "value": {"mitigation_remediation": ["Update the WC Builder plugin to the latest available version, which removes the insecure handling of the shortcode attributes.", "If an update is unavailable, remove or disable the wpbforwpbakery_product_additional_information shortcode from all product pages or restrict the ability of Shop Manager users to edit product additional information.", "Apply a strong content\u2011security\u2011policy header to the site to block execution of untrusted JavaScript, reducing the impact of any residual XSS vectors."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in the hasthemes: WC Builder \u2013 WooCommerce Page Builder for WPBakery plugin for WordPress. All releases up to and including version 1.2.0 are impacted. Site owners should confirm they are running a version newer than 1.2.0 or have applied the vendor\u2019s fix.", "description_and_impact": "The WC Builder \u2013 WooCommerce Page Builder for WPBakery plugin contains a stored cross\u2011site scripting flaw that occurs when the heading_color parameter, along with other styling options, is inserted into the wpbforwpbakery_product_additional_information shortcode. Because the plugin does not sanitize or escape the data before persisting it, an attacker can embed arbitrary JavaScript that will run in the browsers of any site visitor. This allows a Shop Manager\u2011level user or higher to compromise the confidentiality and integrity of the site, potentially hijack sessions, or deface content in a way that is invisible to the default WordPress security tools. The flaw is a classic example of CWE\u201179.", "risk_and_exploitability": "The CVSS score of 4.4 signals moderate severity, while an EPSS score of <\u202f1\u202f% points to a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated access with Shop Manager or higher privileges, making the attack vector local to the site rather than truly remote; based on the description, the local attack inference is made because the plugin requires such authenticated access, a detail that is logically derived rather than explicitly stated. Once a malicious script is stored, it will execute for every user who views the affected page, creating a widespread risk for all visitors."}}}}, "created": "2025-12-23T22:52:22.626873+00:00", "updated": "2026-04-22T00:15:03.771582+00:00", "vendors": ["hasthemes", "hasthemes$PRODUCT$wc_builder", "woocommerce", "woocommerce$PRODUCT$woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}