{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9353", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-22T14:58:02.773Z", "datePublished": "2025-09-24T12:27:28.647Z", "dateUpdated": "2026-04-08T16:52:22.072Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:52:22.072Z"}, "affected": [{"vendor": "themifyme", "product": "Themify Builder", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "7.6.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Themify Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in all versions up to, and including, 7.6.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 7.6.9."}], "title": "Themify Builder <= 7.6.9 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/508e97a0-9757-426c-bf0f-cdce6b489ce7?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/themify-builder/trunk/templates/template-icon.php#L95"}, {"url": "https://plugins.trac.wordpress.org/browser/themify-builder/trunk/templates/template-fancy-heading.php#L73"}, {"url": "https://plugins.trac.wordpress.org/browser/themify-builder/trunk/templates/template-fancy-heading.php#L96"}, {"url": "https://plugins.trac.wordpress.org/browser/themify-builder/trunk/js/editor/build/modules.min.js"}, {"url": "https://plugins.trac.wordpress.org/changeset/3366817/"}, {"url": "https://plugins.trac.wordpress.org/changeset/3355757/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "D.Sim"}], "timeline": [{"time": "2025-08-27T03:40:16.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-09-23T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-24T13:00:05.384680Z", "id": "CVE-2025-9353", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-24T13:00:24.349Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9353", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-24T13:00:05.384680Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-24T13:00:21.351Z"}}], "cna": {"title": "Themify Builder <= 7.6.9 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "D.Sim"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "themifyme", "product": "Themify Builder", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "7.6.9"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-27T03:40:16.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-09-23T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/508e97a0-9757-426c-bf0f-cdce6b489ce7?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/themify-builder/trunk/templates/template-icon.php#L95"}, {"url": "https://plugins.trac.wordpress.org/browser/themify-builder/trunk/templates/template-fancy-heading.php#L73"}, {"url": "https://plugins.trac.wordpress.org/browser/themify-builder/trunk/templates/template-fancy-heading.php#L96"}, {"url": "https://plugins.trac.wordpress.org/browser/themify-builder/trunk/js/editor/build/modules.min.js"}, {"url": "https://plugins.trac.wordpress.org/changeset/3366817/"}, {"url": "https://plugins.trac.wordpress.org/changeset/3355757/"}], "descriptions": [{"lang": "en", "value": "The Themify Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in all versions up to, and including, 7.6.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 7.6.9."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:52:22.072Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9353", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:52:22.072Z", "dateReserved": "2025-08-22T14:58:02.773Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-24T12:27:28.647Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Themify Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in all versions up to, and including, 7.6.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 7.6.9."}], "id": "CVE-2025-9353", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-24T13:15:37.213", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/themify-builder/trunk/js/editor/build/modules.min.js"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/themify-builder/trunk/templates/template-fancy-heading.php#L73"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/themify-builder/trunk/templates/template-fancy-heading.php#L96"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/themify-builder/trunk/templates/template-icon.php#L95"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3355757/"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3366817/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/508e97a0-9757-426c-bf0f-cdce6b489ce7?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T00:48:10.197501+00:00", "value": {"mitigation_remediation": ["Upgrade the Themify Builder plugin to version 7.7.0 or later, which resolves the stored XSS issue.", "Disable the plugin temporarily on critical sites until an upgrade can be applied.", "Limit or remove Contributor-level access on sites where the plugin is used to prevent injection of malicious content."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting (CWE\u201179)"}, "threat_synthesis": {"affected_systems": "The flaw is present in all versions of the Themify Builder plugin for WordPress up to and including 7.6.9. The plugin is developed by themifyme and any WordPress site using a vulnerable version is affected.", "description_and_impact": "The vulnerability allows an attacker with Contributor or higher access in the Themify Builder plugin to store malicious script code in editable fields. When any user visits the affected page, the injected scripts run in that user\u2019s browser, compromising confidentiality, integrity, or availability of the site. The weakness arises from insufficient input sanitization and output escaping, a classic Cross\u2011Site Scripting flaw (CWE\u201179).", "risk_and_exploitability": "The CVSS score of 6.4 indicates moderate severity, while the EPSS score below 1\u202f% suggests a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated user with Contributor\u2011level or higher privileges; the attacker must submit malicious content that is then rendered for all visitors to the page."}}}}, "created": "2025-09-25T08:21:27.089344+00:00", "updated": "2026-04-22T01:00:04.354747+00:00", "vendors": ["themify", "themify$PRODUCT$themify_builder", "wordpress", "wordpress$PRODUCT$wordpress"]}