CVSS: 6.5EPSS: %CPEs: 1EXPL: 0CVE-2025-30628 – Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer) <= 1.2 - Authenticated (Subscriber+) SQL Injection
https://notcve.org/view.php?id=CVE-2025-30628
07 Jul 2025 — The Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer) plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the datab... • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-4414 – WordPress CMSMasters Content Composer < 2.5.7 - Local File Inclusion Vulnerability
https://notcve.org/view.php?id=CVE-2025-4414
01 Jul 2025 — Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in cmsmasters CMSMasters Content Composer allows PHP Local File Inclusion. This issue affects CMSMasters Content Composer: from n/a through n/a. The CMSMasters Content Composer plugin for WordPress is vulnerable to Local File Inclusion in versions up to 2.5.7. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of ... • https://patchstack.com/database/wordpress/plugin/cmsmasters-content-composer/vulnerability/wordpress-cmsmasters-content-composer-2-5-7-local-file-inclusion-vulnerability?_s_id=cve • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-4965 – WPBakery Page Builder <= 8.4.1 - Authenticated (Author+) Stored Cross-Site Scripting via Grid Builder
https://notcve.org/view.php?id=CVE-2025-4965
18 Jun 2025 — The WPBakery Page Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Grid Builder feature in all versions up to, and including, 8.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://kb.wpbakery.com/docs/preface/release-notes • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-46484 – WordPress Image Hover Effects For WPBakery Page Builder <= 2.0 - Cross Site Scripting (XSS) Vulnerability
https://notcve.org/view.php?id=CVE-2025-46484
24 Apr 2025 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nasir179125 Image Hover Effects For WPBakery Page Builder allows DOM-Based XSS. This issue affects Image Hover Effects For WPBakery Page Builder: from n/a through 2.0. The Image Hover Effects For WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for a... • https://patchstack.com/database/wordpress/plugin/image-hover-effects-for-visual-composer/vulnerability/wordpress-image-hover-effects-for-wpbakery-page-builder-2-0-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-23775 – WordPress GMAPS for WPBakery Page Builder Free Plugin <= 1.2 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2025-23775
16 Jan 2025 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WWP GMAPS for WPBakery Page Builder Free allows Stored XSS.This issue affects GMAPS for WPBakery Page Builder Free: from n/a through 1.2. The GMAPS for WPBakery Page Builder Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributo... • https://patchstack.com/database/wordpress/plugin/gmaps-for-visual-composer-free/vulnerability/wordpress-gmaps-for-wpbakery-page-builder-free-plugin-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-51629 – WordPress Header Footer Composer for Elementor plugin <= 1.0.4 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-51629
01 Nov 2024 — Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in MetricThemes Header Footer Composer for Elementor allows DOM-Based XSS.This issue affects Header Footer Composer for Elementor: from n/a through 1.0.4. The Header Footer Composer for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated att... • https://patchstack.com/database/vulnerability/header-footer-composer/wordpress-header-footer-composer-for-elementor-plugin-1-0-4-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43320 – WordPress WPBakery Page Builder Addons plugin <= 3.9 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-43320
16 Aug 2024 — Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Livemesh Livemesh Addons for WPBakery Page Builder addons-for-visual-composer allows Stored XSS.This issue affects Livemesh Addons for WPBakery Page Builder: from n/a through 3.9. The Livemesh Addons for WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.9 due to insufficient input sanitization and output escaping. This makes it... • https://patchstack.com/database/vulnerability/addons-for-visual-composer/wordpress-wpbakery-page-builder-addons-plugin-3-9-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43263 – WordPress Visual Composer Starter theme <= 3.3 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-43263
12 Aug 2024 — Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Visual Composer Visual Composer Starter allows Stored XSS.This issue affects Visual Composer Starter: from n/a through 3.3. The Visual Composer Starter theme for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and ab... • https://patchstack.com/database/vulnerability/visual-composer-starter/wordpress-visual-composer-starter-theme-3-3-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37936 – WordPress Tabs For WPBakery Page Builder plugin <= 1.2 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-37936
09 Jul 2024 — Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in labibahmed Tabs For WPBakery Page Builder allows Stored XSS.This issue affects Tabs For WPBakery Page Builder: from n/a through 1.2. Vulnerabilidad de neutralización incorrecta de la entrada durante la generación de páginas web (XSS o 'Cross-site Scripting') en labibahmed Tabs For WPBakery Page Builder permite XSS almacenado. Este problema afecta a Tabs For WPBakery Page Builder: desde n/a hasta 1.2.... • https://patchstack.com/database/vulnerability/tabs-for-visual-composer/wordpress-tabs-for-wpbakery-page-builder-plugin-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-35780 – WordPress Page Builder: Live Composer plugin <= 1.5.42 - Contributor+ PHP Object Injection vulnerability
https://notcve.org/view.php?id=CVE-2024-35780
19 Jun 2024 — Deserialization of Untrusted Data vulnerability in Live Composer Team Page Builder: Live Composer.This issue affects Page Builder: Live Composer: from n/a through 1.5.42. Vulnerabilidad de deserialización de datos no confiables en Live Composer Team Page Builder: Live Composer. Este problema afecta a Page Builder: Live Composer: desde n/a hasta 1.5.42. The Page Builder: Live Composer plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.5.42 via deserialization o... • https://patchstack.com/database/vulnerability/live-composer-page-builder/wordpress-page-builder-live-composer-plugin-1-5-42-contributor-php-object-injection-vulnerability?_s_id=cve • CWE-502: Deserialization of Untrusted Data •