{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14119", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-05T15:30:35.384Z", "datePublished": "2025-12-12T03:20:46.000Z", "dateUpdated": "2026-04-08T16:55:34.202Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:55:34.202Z"}, "affected": [{"vendor": "themebon", "product": "App Landing Template Blocks for WPBakery (Visual Composer) Page Builder", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.0.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The App Landing Template Blocks for WPBakery (Visual Composer) Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'atvc_video_play' shortcode in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "App Landing Template Blocks for WPBakery Page Builder <= 2.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5c440ae0-311d-4d0a-a216-7641c2a80669?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/app-template-blocks-for-wpbakery-page-builder/trunk/modules/video-play.php#L58"}, {"url": "https://plugins.trac.wordpress.org/browser/app-template-blocks-for-wpbakery-page-builder/tags/2.0.2/modules/video-play.php#L58"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2025-12-11T14:23:24.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-15T17:55:00.483774Z", "id": "CVE-2025-14119", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T18:15:33.994Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14119", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-15T17:55:00.483774Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T17:55:04.208Z"}}], "cna": {"title": "App Landing Template Blocks for WPBakery Page Builder <= 2.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "themebon", "product": "App Landing Template Blocks for WPBakery (Visual Composer) Page Builder", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.0.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-11T14:23:24.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5c440ae0-311d-4d0a-a216-7641c2a80669?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/app-template-blocks-for-wpbakery-page-builder/trunk/modules/video-play.php#L58"}, {"url": "https://plugins.trac.wordpress.org/browser/app-template-blocks-for-wpbakery-page-builder/tags/2.0.2/modules/video-play.php#L58"}], "descriptions": [{"lang": "en", "value": "The App Landing Template Blocks for WPBakery (Visual Composer) Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'atvc_video_play' shortcode in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:55:34.202Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14119", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:55:34.202Z", "dateReserved": "2025-12-05T15:30:35.384Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-12T03:20:46.000Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The App Landing Template Blocks for WPBakery (Visual Composer) Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'atvc_video_play' shortcode in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-14119", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-12T04:15:47.230", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/app-template-blocks-for-wpbakery-page-builder/tags/2.0.2/modules/video-play.php#L58"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/app-template-blocks-for-wpbakery-page-builder/trunk/modules/video-play.php#L58"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5c440ae0-311d-4d0a-a216-7641c2a80669?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T17:31:01.059939+00:00", "value": {"mitigation_remediation": ["Update App Landing Template Blocks for WPBakery to version 2.0.3 or later, which removes the insecure handling of shortcode attributes", "If an immediate upgrade is not possible, temporarily remove all instances of the atvc_video_play shortcode or replace them with plain content to eliminate the injection vector", "Limit the Contributor role to trusted administrators or remove the ability to edit content containing shortcodes by adjusting user capabilities with a role\u2011management plugin"], "summary": {"action": "Patch Update", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The flaw affects the themebon App Landing Template Blocks for WPBakery (Visual Composer) Page Builder plugin for WordPress. All releases up to and including version 2.0.2 are vulnerable. WordPress sites that have installed the plugin and where users with Contributor or higher roles can edit content are at risk.", "description_and_impact": "A stored cross\u2011site scripting flaw exists in the App Landing Template Blocks for WPBakery Page Builder plugin. The vulnerability allows an authenticated attacker who holds the Contributor role or higher to inject arbitrary JavaScript through the attributes of the atvc_video_play shortcode. Because the data is not properly sanitized or escaped, any user who loads a page containing the malicious shortcode will execute the attacker\u2019s script. This flaw can be used to deface the site, phish credentials, or execute additional malicious actions, thereby compromising the confidentiality, integrity, and availability of the affected website.", "risk_and_exploitability": "The CVSS scoring indicates a medium severity with a 6.4 score, reflecting that the vulnerability is limited to authenticated users. The EPSS score of less than 1% suggests a low probability of exploitation, and the issue is not listed in the CISA KEV catalog. An attacker would need to obtain contributor-level access, insert a malicious shortcode into a page or post, and then entice another site visitor to load that page. While the risk is low, the impact of successful exploitation is significant, warranting prompt remediation."}}}}, "created": "2025-12-12T08:47:51.465909+00:00", "updated": "2026-04-21T17:45:16.473464+00:00", "vendors": ["themebon", "themebon$PRODUCT$app_landing_template_blocks_for_wpbakery", "wordpress", "wordpress$PRODUCT$wordpress"]}