Search

Find a vulnerability

Search criteria

    34 vulnerabilities found for Colibri Page Builder by extendthemes

    CVE-2025-11747 (GCVE-0-2025-11747)

    Vulnerability from nvd – Published: 2025-12-19 08:23 – Updated: 2026-04-08 17:29
    VLAI
    Title
    Colibri Page Builder <= 1.0.345 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
    Summary
    The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the colibri_blog_posts shortcode in all versions up to, and including, 1.0.345 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    extendthemes Colibri Page Builder Affected: 0 , ≤ 1.0.345 (semver)
    Create a notification for this product.
    Credits
    Abu Hurayra
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-11747",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-19T15:34:28.266271Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-19T15:34:45.962Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Colibri Page Builder",
              "vendor": "extendthemes",
              "versions": [
                {
                  "lessThanOrEqual": "1.0.345",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Abu Hurayra"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the colibri_blog_posts shortcode in all versions up to, and including, 1.0.345 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:29:21.688Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e3305b39-5f7b-493b-80b5-cb925c2710c1?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/colibri-page-builder/trunk/extend-builder/shortcodes/blog-posts.php#L251"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3421590/colibri-page-builder/trunk/extend-builder/shortcodes/blog-posts.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-12-15T08:21:04.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2025-12-18T19:48:44.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Colibri Page Builder \u003c= 1.0.345 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-11747",
        "datePublished": "2025-12-19T08:23:41.367Z",
        "dateReserved": "2025-10-14T14:42:25.674Z",
        "dateUpdated": "2026-04-08T17:29:21.688Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-11376 (GCVE-0-2025-11376)

    Vulnerability from nvd – Published: 2025-12-13 04:31 – Updated: 2026-04-08 16:46
    VLAI
    Title
    Colibri Page Builder <= 1.0.335 - Authenticated (Contributor+) Stored Cross-Site Scripting
    Summary
    The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'colibri_loop' shortcode in all versions up to, and including, 1.0.335 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    extendthemes Colibri Page Builder Affected: 0 , ≤ 1.0.335 (semver)
    Create a notification for this product.
    Credits
    Rafshanzani Suhada
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-11376",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-15T15:43:38.095877Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-15T15:48:17.772Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Colibri Page Builder",
              "vendor": "extendthemes",
              "versions": [
                {
                  "lessThanOrEqual": "1.0.335",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Rafshanzani Suhada"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s \u0027colibri_loop\u0027 shortcode in all versions up to, and including, 1.0.335 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:46:38.530Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/38eaf4be-5083-46fe-b586-e4be190dc9cc?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3377192%40colibri-page-builder\u0026new=3377192%40colibri-page-builder\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-12-12T15:37:12.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Colibri Page Builder \u003c= 1.0.335 - Authenticated (Contributor+) Stored Cross-Site Scripting"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-11376",
        "datePublished": "2025-12-13T04:31:23.715Z",
        "dateReserved": "2025-10-06T15:39:21.973Z",
        "dateUpdated": "2026-04-08T16:46:38.530Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-9560 (GCVE-0-2025-9560)

    Vulnerability from nvd – Published: 2025-10-11 02:24 – Updated: 2026-04-08 16:35
    VLAI
    Title
    Colibri Page Builder <= 1.0.334 - Authenticated (Contributor+) Stored Cross-Site Scripting via colibri_newsletter Shortcode
    Summary
    The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's colibri_newsletter shortcode in all versions up to, and including, 1.0.334 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    extendthemes Colibri Page Builder Affected: 0 , ≤ 1.0.334 (semver)
    Create a notification for this product.
    Credits
    Muhammad Yudha - DJ
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-9560",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-14T13:42:31.521032Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-14T14:15:07.490Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Colibri Page Builder",
              "vendor": "extendthemes",
              "versions": [
                {
                  "lessThanOrEqual": "1.0.334",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Muhammad Yudha - DJ"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s colibri_newsletter shortcode in all versions up to, and including, 1.0.334 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:35:35.816Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0ef1679f-44ec-448a-a77b-489ac9bfaa7a?source=cve"
            },
            {
              "url": "https://wordpress.org/plugins/colibri-page-builder/#developers"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3373432/colibri-page-builder/trunk/extend-builder/shortcodes/newsletter.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-10-10T14:09:28.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Colibri Page Builder \u003c= 1.0.334 - Authenticated (Contributor+) Stored Cross-Site Scripting via colibri_newsletter Shortcode"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-9560",
        "datePublished": "2025-10-11T02:24:51.813Z",
        "dateReserved": "2025-08-27T20:15:51.490Z",
        "dateUpdated": "2026-04-08T16:35:35.816Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-5020 (GCVE-0-2024-5020)

    Vulnerability from nvd – Published: 2024-12-04 08:22 – Updated: 2026-04-08 17:27
    VLAI
    Title
    Multiple Plugins <= (Various Versions) - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via FancyBox JavaScript Library
    Summary
    Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled FancyBox JavaScript library (versions 1.3.4 to 3.5.7) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    extendthemes Colibri Page Builder Affected: 0 , ≤ 1.0.286 (semver)
    Create a notification for this product.
    smub Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More Affected: 0 , ≤ 1.8.15 (semver)
    Create a notification for this product.
    bqworks Accordion Slider Affected: 0 , ≤ 1.9.12 (semver)
    Create a notification for this product.
    10web Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder Affected: 0 , ≤ 1.15.27 (semver)
    Create a notification for this product.
    jetmonsters Getwid – Gutenberg Blocks Affected: 0 , ≤ 2.0.11 (semver)
    Create a notification for this product.
    firelightwp Firelight Lightbox Affected: 0 , ≤ 2.3.3 (semver)
    Create a notification for this product.
    dfactory Responsive Lightbox & Gallery Affected: 0 , ≤ 2.4.8 (semver)
    Create a notification for this product.
    shapedplugin Carousel, Slider, Photo Gallery with Lightbox, Video Slider, by WP Carousel Affected: 0 , ≤ 2.6.8 (semver)
    Create a notification for this product.
    colorlibplugins FancyBox for WordPress Affected: 0 , ≤ 3.3.4 (semver)
    Create a notification for this product.
    nko Visual Portfolio, Photo Gallery & Post Grid Affected: 0 , ≤ 3.3.9 (semver)
    Create a notification for this product.
    smub Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery Affected: 0 , ≤ 3.59.4 (semver)
    Create a notification for this product.
    wpclever WPC Smart Quick View for WooCommerce Affected: 0 , ≤ 4.1.1 (semver)
    Create a notification for this product.
    posimyththemes Nexter Blocks – Gutenberg Blocks, Page Builder & AI Website Builder Affected: 0 , ≤ 4.3.1 (semver)
    Create a notification for this product.
    Easy Social Feed Easy Social Feed Premium Affected: 0 , ≤ 6.6.2 (semver)
    Create a notification for this product.
    foliovision FV Flowplayer Video Player Affected: 0 , ≤ 7.5.47.7212 (semver)
    Create a notification for this product.
    Credits
    Craig Smith
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-5020",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-04T14:02:27.273797Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-04T14:09:09.188Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Colibri Page Builder",
              "vendor": "extendthemes",
              "versions": [
                {
                  "lessThanOrEqual": "1.0.286",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Envira Gallery \u2013 Image Photo Gallery, Albums, Video Gallery, Slideshows \u0026 More",
              "vendor": "smub",
              "versions": [
                {
                  "lessThanOrEqual": "1.8.15",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Accordion Slider",
              "vendor": "bqworks",
              "versions": [
                {
                  "lessThanOrEqual": "1.9.12",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder",
              "vendor": "10web",
              "versions": [
                {
                  "lessThanOrEqual": "1.15.27",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Getwid \u2013 Gutenberg Blocks",
              "vendor": "jetmonsters",
              "versions": [
                {
                  "lessThanOrEqual": "2.0.11",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Firelight Lightbox",
              "vendor": "firelightwp",
              "versions": [
                {
                  "lessThanOrEqual": "2.3.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Responsive Lightbox \u0026 Gallery",
              "vendor": "dfactory",
              "versions": [
                {
                  "lessThanOrEqual": "2.4.8",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Carousel, Slider, Photo Gallery with Lightbox, Video Slider, by WP Carousel",
              "vendor": "shapedplugin",
              "versions": [
                {
                  "lessThanOrEqual": "2.6.8",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "FancyBox for WordPress",
              "vendor": "colorlibplugins",
              "versions": [
                {
                  "lessThanOrEqual": "3.3.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Visual Portfolio, Photo Gallery \u0026 Post Grid",
              "vendor": "nko",
              "versions": [
                {
                  "lessThanOrEqual": "3.3.9",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Photo Gallery, Sliders, Proofing and Themes \u2013 NextGEN Gallery",
              "vendor": "smub",
              "versions": [
                {
                  "lessThanOrEqual": "3.59.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WPC Smart Quick View for WooCommerce",
              "vendor": "wpclever",
              "versions": [
                {
                  "lessThanOrEqual": "4.1.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Nexter Blocks \u2013 Gutenberg Blocks, Page Builder \u0026 AI Website Builder",
              "vendor": "posimyththemes",
              "versions": [
                {
                  "lessThanOrEqual": "4.3.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Easy Social Feed Premium",
              "vendor": "Easy Social Feed",
              "versions": [
                {
                  "lessThanOrEqual": "6.6.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "FV Flowplayer Video Player",
              "vendor": "foliovision",
              "versions": [
                {
                  "lessThanOrEqual": "7.5.47.7212",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Craig Smith"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin\u0027s bundled FancyBox JavaScript library (versions 1.3.4 to 3.5.7) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:27:10.759Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d99d4b9a-aa09-434d-91a8-7afaa0e8b5db?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3150376/woo-smart-quick-view"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3153081/colibri-page-builder"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3157076/nextgen-gallery"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3158415/envira-gallery-lite"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3156791/form-maker"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3160432/visual-portfolio"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3161422/fv-wordpress-flowplayer"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3160232/easy-fancybox"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3161892/wp-carousel-free"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3173097/responsive-lightbox"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3175577%40getwid%2Ftrunk\u0026old=3119180%40getwid%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3186301%40fancybox-for-wordpress%2Ftrunk\u0026old=3058912%40fancybox-for-wordpress%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3169926/accordion-slider"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3306189%40the-plus-addons-for-block-editor\u0026new=3306189%40the-plus-addons-for-block-editor\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-06-13T17:22:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2024-12-03T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Multiple Plugins \u003c= (Various Versions) - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via FancyBox JavaScript Library"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-5020",
        "datePublished": "2024-12-04T08:22:46.855Z",
        "dateReserved": "2024-05-16T16:50:11.363Z",
        "dateUpdated": "2026-04-08T17:27:10.759Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-4451 (GCVE-0-2024-4451)

    Vulnerability from nvd – Published: 2024-06-07 06:52 – Updated: 2026-04-08 16:34
    VLAI
    Title
    Colibri Page Builder <= 1.0.276 - Authenticated (Contributor+) Stored Cross-Site Scripting via colibri_video_player Shortcode
    Summary
    The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's colibri_video_player shortcode in all versions up to, and including, 1.0.276 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    extendthemes Colibri Page Builder Affected: 0 , ≤ 1.0.276 (semver)
    Create a notification for this product.
    extendthemes colibri_page_builder Affected: 0 , ≤ 1.0.276 (semver)
        cpe:2.3:a:extendthemes:colibri_page_builder:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Ngô Thiên An
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:extendthemes:colibri_page_builder:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "colibri_page_builder",
                "vendor": "extendthemes",
                "versions": [
                  {
                    "lessThanOrEqual": "1.0.276",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-4451",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-07T15:42:38.573719Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-07T15:48:16.311Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T20:40:47.151Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0afd981e-3ae8-4450-9750-23ff6fe612dc?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/3097694/colibri-page-builder/trunk/extend-builder/shortcodes/video.php"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Colibri Page Builder",
              "vendor": "extendthemes",
              "versions": [
                {
                  "lessThanOrEqual": "1.0.276",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Ng\u00f4 Thi\u00ean An"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s colibri_video_player shortcode in all versions up to, and including, 1.0.276 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:34:47.674Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0afd981e-3ae8-4450-9750-23ff6fe612dc?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3097694/colibri-page-builder/trunk/extend-builder/shortcodes/video.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-05-06T00:00:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2024-06-06T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Colibri Page Builder \u003c= 1.0.276 - Authenticated (Contributor+) Stored Cross-Site Scripting via colibri_video_player Shortcode"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-4451",
        "datePublished": "2024-06-07T06:52:21.626Z",
        "dateReserved": "2024-05-02T22:04:24.505Z",
        "dateUpdated": "2026-04-08T16:34:47.674Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-5038 (GCVE-0-2024-5038)

    Vulnerability from nvd – Published: 2024-06-06 11:03 – Updated: 2026-04-08 16:34
    VLAI
    Title
    Colibri Page Builder <= 1.0.276 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
    Summary
    The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 1.0.276 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    extendthemes Colibri Page Builder Affected: 0 , ≤ 1.0.276 (semver)
    Create a notification for this product.
    Credits
    Ngô Thiên An
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-5038",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-06T13:22:26.333962Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-06T13:22:32.888Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T21:03:10.411Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/08159865-1411-4a07-b5db-f4ba5bf2d633?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/colibri-page-builder/trunk/extend-builder/shortcodes/blog/post-item.php#L132"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/3097694/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Colibri Page Builder",
              "vendor": "extendthemes",
              "versions": [
                {
                  "lessThanOrEqual": "1.0.276",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Ng\u00f4 Thi\u00ean An"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s shortcode(s) in all versions up to, and including, 1.0.276 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:34:08.354Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/08159865-1411-4a07-b5db-f4ba5bf2d633?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/colibri-page-builder/trunk/extend-builder/shortcodes/blog/post-item.php#L132"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3097694/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-06-05T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Colibri Page Builder \u003c= 1.0.276 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-5038",
        "datePublished": "2024-06-06T11:03:02.821Z",
        "dateReserved": "2024-05-16T22:05:58.396Z",
        "dateUpdated": "2026-04-08T16:34:08.354Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-3340 (GCVE-0-2024-3340)

    Vulnerability from nvd – Published: 2024-05-02 16:52 – Updated: 2026-04-08 17:33
    VLAI
    Title
    Colibri Page Builder <= 1.0.272 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'colibri-gallery-slideshow' Shortcode
    Summary
    The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'colibri-gallery-slideshow' shortcode in all versions up to, and including, 1.0.272 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    extendthemes Colibri Page Builder Affected: 0 , ≤ 1.0.272 (semver)
    Create a notification for this product.
    Credits
    Ngô Thiên An
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-3340",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-02T19:21:46.708424Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:32:57.909Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T20:05:08.413Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f5ba832e-98bc-421d-9b60-e6260c408815?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/3074785/colibri-page-builder/trunk/extend-builder/shortcodes/index.php"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Colibri Page Builder",
              "vendor": "extendthemes",
              "versions": [
                {
                  "lessThanOrEqual": "1.0.272",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Ng\u00f4 Thi\u00ean An"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s \u0027colibri-gallery-slideshow\u0027 shortcode in all versions up to, and including, 1.0.272 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:33:23.477Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f5ba832e-98bc-421d-9b60-e6260c408815?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3074785/colibri-page-builder/trunk/extend-builder/shortcodes/index.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-04-22T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Colibri Page Builder \u003c= 1.0.272 - Authenticated (Contributor+) Stored Cross-Site Scripting via \u0027colibri-gallery-slideshow\u0027 Shortcode"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-3340",
        "datePublished": "2024-05-02T16:52:52.335Z",
        "dateReserved": "2024-04-04T19:33:38.309Z",
        "dateUpdated": "2026-04-08T17:33:23.477Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-3338 (GCVE-0-2024-3338)

    Vulnerability from nvd – Published: 2024-05-02 16:51 – Updated: 2026-04-08 16:46
    VLAI
    Title
    Colibri Page Builder <= 1.0.262 - Authenticated (Author+) Stored Cross-Site Scripting
    Summary
    The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image alt data parameter in all versions up to, and including, 1.0.262 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    extendthemes Colibri Page Builder Affected: 0 , ≤ 1.0.262 (semver)
    Create a notification for this product.
    Credits
    Matthew Rollings
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-3338",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-06T19:17:08.934024Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:31:24.444Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T20:05:08.410Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3a066eae-4040-4d76-b730-47d98dc37662?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/3074785/colibri-page-builder/trunk/extend-builder/extend-builder.php"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Colibri Page Builder",
              "vendor": "extendthemes",
              "versions": [
                {
                  "lessThanOrEqual": "1.0.262",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Matthew Rollings"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image alt data parameter in all versions up to, and including, 1.0.262 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:46:55.712Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3a066eae-4040-4d76-b730-47d98dc37662?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3074785/colibri-page-builder/trunk/extend-builder/extend-builder.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-04-22T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Colibri Page Builder \u003c= 1.0.262 - Authenticated (Author+) Stored Cross-Site Scripting"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-3338",
        "datePublished": "2024-05-02T16:51:59.650Z",
        "dateReserved": "2024-04-04T19:26:27.387Z",
        "dateUpdated": "2026-04-08T16:46:55.712Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-3337 (GCVE-0-2024-3337)

    Vulnerability from nvd – Published: 2024-05-02 16:52 – Updated: 2026-04-08 17:16
    VLAI
    Title
    Colibri Page Builder <= 1.0.272 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'colibri_breadcrumb_element' Shortcode
    Summary
    The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'colibri_breadcrumb_element' shortcode in all versions up to, and including, 1.0.272 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    extendthemes Colibri Page Builder Affected: 0 , ≤ 1.0.272 (semver)
    Create a notification for this product.
    Credits
    Matthew Rollings
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-3337",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-09T19:15:10.177001Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:32:58.733Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T20:05:08.405Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b2ae4226-0089-47fb-87b9-94e9faf764e4?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/3074785/colibri-page-builder/trunk/extend-builder/shortcodes/breadcrumb.php"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Colibri Page Builder",
              "vendor": "extendthemes",
              "versions": [
                {
                  "lessThanOrEqual": "1.0.272",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Matthew Rollings"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s \u0027colibri_breadcrumb_element\u0027 shortcode in all versions up to, and including, 1.0.272 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:16:30.172Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b2ae4226-0089-47fb-87b9-94e9faf764e4?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3074785/colibri-page-builder/trunk/extend-builder/shortcodes/breadcrumb.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-04-22T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Colibri Page Builder \u003c= 1.0.272 - Authenticated (Contributor+) Stored Cross-Site Scripting via \u0027colibri_breadcrumb_element\u0027 Shortcode"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-3337",
        "datePublished": "2024-05-02T16:52:32.076Z",
        "dateReserved": "2024-04-04T19:21:13.997Z",
        "dateUpdated": "2026-04-08T17:16:30.172Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-2839 (GCVE-0-2024-2839)

    Vulnerability from nvd – Published: 2024-04-02 06:47 – Updated: 2026-04-08 17:21
    VLAI
    Title
    Colibri Page Builder <= 1.0.263 - Authenticated (Contributor+) Stored Cross-Site Scripting
    Summary
    The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'colibri_post_title' shortcode in all versions up to, and including, 1.0.263 due to insufficient input sanitization and output escaping on user supplied attributes such as 'heading_type'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    extendthemes Colibri Page Builder Affected: 0 , ≤ 1.0.263 (semver)
    Create a notification for this product.
    Credits
    Ngô Thiên An Dau Hoang Tai
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-2839",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-04-02T15:34:36.950216Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:30:53.818Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T19:25:42.137Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c9466e5f-d8eb-4de4-a1d2-e5ef15bf1e4e?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/3061940/colibri-page-builder/trunk/extend-builder/shortcodes/blog/post-item.php"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Colibri Page Builder",
              "vendor": "extendthemes",
              "versions": [
                {
                  "lessThanOrEqual": "1.0.263",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Ng\u00f4 Thi\u00ean An"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Dau Hoang Tai"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s \u0027colibri_post_title\u0027 shortcode in all versions up to, and including, 1.0.263 due to insufficient input sanitization and output escaping on user supplied attributes such as \u0027heading_type\u0027. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:21:48.549Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c9466e5f-d8eb-4de4-a1d2-e5ef15bf1e4e?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3061940/colibri-page-builder/trunk/extend-builder/shortcodes/blog/post-item.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-04-01T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Colibri Page Builder \u003c= 1.0.263 - Authenticated (Contributor+) Stored Cross-Site Scripting"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-2839",
        "datePublished": "2024-04-02T06:47:43.668Z",
        "dateReserved": "2024-03-22T19:16:46.881Z",
        "dateUpdated": "2026-04-08T17:21:48.549Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-28004 (GCVE-0-2024-28004)

    Vulnerability from nvd – Published: 2024-03-28 05:51 – Updated: 2026-04-28 16:09
    VLAI
    Title
    WordPress Colibri Page Builder plugin <= 1.0.248 - Broken Access Control vulnerability
    Summary
    Missing Authorization vulnerability in ExtendThemes Colibri Page Builder.This issue affects Colibri Page Builder: from n/a through 1.0.248.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    ExtendThemes Colibri Page Builder Affected: n/a , ≤ 1.0.248 (custom)
    Create a notification for this product.
    extendthemes colibri_page_builder Affected: 0 , ≤ 1.0.248 (custom)
        cpe:2.3:a:extendthemes:colibri_page_builder:*:*:*:*:*:wordpress:*:*
    Create a notification for this product.
    Credits
    Rafie Muhammad (Patchstack)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T00:41:55.957Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_transferred"
                ],
                "url": "https://patchstack.com/database/vulnerability/colibri-page-builder/wordpress-colibri-page-builder-plugin-1-0-248-broken-access-control-vulnerability?_s_id=cve"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:extendthemes:colibri_page_builder:*:*:*:*:*:wordpress:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "colibri_page_builder",
                "vendor": "extendthemes",
                "versions": [
                  {
                    "lessThanOrEqual": "1.0.248",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-28004",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-04-10T19:42:23.399976Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-11T14:01:46.964Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "colibri-page-builder",
              "product": "Colibri Page Builder",
              "vendor": "ExtendThemes",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "1.0.249",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "1.0.248",
                  "status": "affected",
                  "version": "n/a",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Rafie Muhammad (Patchstack)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Missing Authorization vulnerability in ExtendThemes Colibri Page Builder.\u003cp\u003eThis issue affects Colibri Page Builder: from n/a through 1.0.248.\u003c/p\u003e"
                }
              ],
              "value": "Missing Authorization vulnerability in ExtendThemes Colibri Page Builder.This issue affects Colibri Page Builder: from n/a through 1.0.248."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:09:15.455Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/vulnerability/colibri-page-builder/wordpress-colibri-page-builder-plugin-1-0-248-broken-access-control-vulnerability?_s_id=cve"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update to 1.0.249 or a higher version."
                }
              ],
              "value": "Update to 1.0.249 or a higher version."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WordPress Colibri Page Builder plugin \u003c= 1.0.248 - Broken Access Control vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2024-28004",
        "datePublished": "2024-03-28T05:51:25.338Z",
        "dateReserved": "2024-02-29T06:17:46.688Z",
        "dateUpdated": "2026-04-28T16:09:15.455Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-1870 (GCVE-0-2024-1870)

    Vulnerability from nvd – Published: 2024-03-09 09:37 – Updated: 2026-04-08 16:36
    VLAI
    Title
    Colibri Page Builder <= 1.0.260 - Missing Authorization
    Summary
    The Colibri Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the callActivateLicenseEndpoint function in all versions up to, and including, 1.0.260. This makes it possible for authenticated attackers, with subscriber access or higher, to update the license key.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    extendthemes Colibri Page Builder Affected: 0 , ≤ 1.0.260 (semver)
    Create a notification for this product.
    Credits
    Stacy Purcell
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-1870",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-03-11T15:04:52.588092Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:59:41.084Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T18:56:22.387Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/130637ce-d70a-4831-8b88-a2a6e8a95c42?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/colibri-page-builder/trunk/src/License/ActivationForm.php#L356"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/3045582/colibri-page-builder/trunk/src/License/ActivationForm.php?contextall=1\u0026old=2888093\u0026old_path=%2Fcolibri-page-builder%2Ftrunk%2Fsrc%2FLicense%2FActivationForm.php"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Colibri Page Builder",
              "vendor": "extendthemes",
              "versions": [
                {
                  "lessThanOrEqual": "1.0.260",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Stacy Purcell"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Colibri Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the callActivateLicenseEndpoint function in all versions up to, and including, 1.0.260. This makes it possible for authenticated attackers, with subscriber access or higher, to update the license key."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:36:33.432Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/130637ce-d70a-4831-8b88-a2a6e8a95c42?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/colibri-page-builder/trunk/src/License/ActivationForm.php#L356"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3045582/colibri-page-builder/trunk/src/License/ActivationForm.php?contextall=1\u0026old=2888093\u0026old_path=%2Fcolibri-page-builder%2Ftrunk%2Fsrc%2FLicense%2FActivationForm.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-03-08T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Colibri Page Builder \u003c= 1.0.260 - Missing Authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-1870",
        "datePublished": "2024-03-09T09:37:46.628Z",
        "dateReserved": "2024-02-23T21:59:45.320Z",
        "dateUpdated": "2026-04-08T16:36:33.432Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-1362 (GCVE-0-2024-1362)

    Vulnerability from nvd – Published: 2024-02-23 11:03 – Updated: 2026-04-08 17:13
    VLAI
    Title
    Colibri Page Builder <= 1.0.253 - Cross-Site Request Fogery via cp_shortcode_refresh
    Summary
    The Colibri Page Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.253. This is due to missing or incorrect nonce validation on the cp_shortcode_refresh() function. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    Impacted products
    Vendor Product Version
    extendthemes Colibri Page Builder Affected: 0 , ≤ 1.0.253 (semver)
    Create a notification for this product.
    Credits
    Lucio Sá
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-1362",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-02-23T14:34:26.733884Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-05T17:21:58.174Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T18:33:25.568Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a5e7a994-c489-4aea-a9bb-898bc92cae4e?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/3039597/colibri-page-builder/trunk/src/PageBuilder.php"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Colibri Page Builder",
              "vendor": "extendthemes",
              "versions": [
                {
                  "lessThanOrEqual": "1.0.253",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Lucio S\u00e1"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Colibri Page Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.253. This is due to missing or incorrect nonce validation on the cp_shortcode_refresh() function. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:13:22.418Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a5e7a994-c489-4aea-a9bb-898bc92cae4e?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3039597/colibri-page-builder/trunk/src/PageBuilder.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-02-22T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Colibri Page Builder \u003c= 1.0.253 - Cross-Site Request Fogery via cp_shortcode_refresh"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-1362",
        "datePublished": "2024-02-23T11:03:46.451Z",
        "dateReserved": "2024-02-08T18:47:18.368Z",
        "dateUpdated": "2026-04-08T17:13:22.418Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-1361 (GCVE-0-2024-1361)

    Vulnerability from nvd – Published: 2024-02-23 11:03 – Updated: 2026-04-08 16:41
    VLAI
    Title
    Colibri Page Builder <= 1.0.253 - Cross-Site Request Fogery via extend_builder
    Summary
    The Colibri Page Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.253. This is due to missing or incorrect nonce validation on the apiCall() function. This makes it possible for unauthenticated attackers to call a limited set of functions that can be used to import images, delete posts, or save theme data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    Impacted products
    Vendor Product Version
    extendthemes Colibri Page Builder Affected: 0 , ≤ 1.0.253 (semver)
    Create a notification for this product.
    Credits
    Lucio Sá
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-1361",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-02-23T16:57:53.359194Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T18:00:32.897Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T18:33:25.582Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/233a29f5-12bf-4849-9b28-4458a0b0c940?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/3039597/colibri-page-builder/trunk/extend-builder/api/api.php"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Colibri Page Builder",
              "vendor": "extendthemes",
              "versions": [
                {
                  "lessThanOrEqual": "1.0.253",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Lucio S\u00e1"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Colibri Page Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.253. This is due to missing or incorrect nonce validation on the apiCall() function. This makes it possible for unauthenticated attackers to call a limited set of functions that can be used to import images, delete posts, or save theme data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:41:54.687Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/233a29f5-12bf-4849-9b28-4458a0b0c940?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3039597/colibri-page-builder/trunk/extend-builder/api/api.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-02-22T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Colibri Page Builder \u003c= 1.0.253 - Cross-Site Request Fogery via extend_builder"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-1361",
        "datePublished": "2024-02-23T11:03:45.823Z",
        "dateReserved": "2024-02-08T18:44:49.179Z",
        "dateUpdated": "2026-04-08T16:41:54.687Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-6988 (GCVE-0-2023-6988)

    Vulnerability from nvd – Published: 2024-01-11 08:32 – Updated: 2026-04-08 16:44
    VLAI
    Title
    Colibri Page Builder <= 1.0.239 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
    Summary
    The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's extend_builder_render_js shortcode in all versions up to, and including, 1.0.239 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    extendthemes Colibri Page Builder Affected: 0 , ≤ 1.0.239 (semver)
    Create a notification for this product.
    Credits
    Hung -mov Nguyen
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T08:50:08.246Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/300b24af-10a1-45b9-87ec-7c98dc94e76b?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.svn.wordpress.org/colibri-page-builder/trunk/extend-builder/shortcodes/render-js.php"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3013337%40colibri-page-builder\u0026new=3013337%40colibri-page-builder\u0026sfp_email=\u0026sfph_mail="
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-6988",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-08T15:55:55.728672Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-79",
                    "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-03T14:10:00.788Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Colibri Page Builder",
              "vendor": "extendthemes",
              "versions": [
                {
                  "lessThanOrEqual": "1.0.239",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Hung -mov Nguyen"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s extend_builder_render_js shortcode in all versions up to, and including, 1.0.239 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:44:45.956Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/300b24af-10a1-45b9-87ec-7c98dc94e76b?source=cve"
            },
            {
              "url": "https://plugins.svn.wordpress.org/colibri-page-builder/trunk/extend-builder/shortcodes/render-js.php"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3013337%40colibri-page-builder\u0026new=3013337%40colibri-page-builder\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2023-12-23T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Colibri Page Builder \u003c= 1.0.239 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2023-6988",
        "datePublished": "2024-01-11T08:32:30.935Z",
        "dateReserved": "2023-12-20T09:38:11.029Z",
        "dateUpdated": "2026-04-08T16:44:45.956Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-11747 (GCVE-0-2025-11747)

    Vulnerability from cvelistv5 – Published: 2025-12-19 08:23 – Updated: 2026-04-08 17:29
    VLAI
    Title
    Colibri Page Builder <= 1.0.345 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
    Summary
    The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the colibri_blog_posts shortcode in all versions up to, and including, 1.0.345 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    extendthemes Colibri Page Builder Affected: 0 , ≤ 1.0.345 (semver)
    Create a notification for this product.
    Credits
    Abu Hurayra
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-11747",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-19T15:34:28.266271Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-19T15:34:45.962Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Colibri Page Builder",
              "vendor": "extendthemes",
              "versions": [
                {
                  "lessThanOrEqual": "1.0.345",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Abu Hurayra"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the colibri_blog_posts shortcode in all versions up to, and including, 1.0.345 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:29:21.688Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e3305b39-5f7b-493b-80b5-cb925c2710c1?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/colibri-page-builder/trunk/extend-builder/shortcodes/blog-posts.php#L251"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3421590/colibri-page-builder/trunk/extend-builder/shortcodes/blog-posts.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-12-15T08:21:04.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2025-12-18T19:48:44.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Colibri Page Builder \u003c= 1.0.345 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-11747",
        "datePublished": "2025-12-19T08:23:41.367Z",
        "dateReserved": "2025-10-14T14:42:25.674Z",
        "dateUpdated": "2026-04-08T17:29:21.688Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-11376 (GCVE-0-2025-11376)

    Vulnerability from cvelistv5 – Published: 2025-12-13 04:31 – Updated: 2026-04-08 16:46
    VLAI
    Title
    Colibri Page Builder <= 1.0.335 - Authenticated (Contributor+) Stored Cross-Site Scripting
    Summary
    The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'colibri_loop' shortcode in all versions up to, and including, 1.0.335 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    extendthemes Colibri Page Builder Affected: 0 , ≤ 1.0.335 (semver)
    Create a notification for this product.
    Credits
    Rafshanzani Suhada
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-11376",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-15T15:43:38.095877Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-15T15:48:17.772Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Colibri Page Builder",
              "vendor": "extendthemes",
              "versions": [
                {
                  "lessThanOrEqual": "1.0.335",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Rafshanzani Suhada"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s \u0027colibri_loop\u0027 shortcode in all versions up to, and including, 1.0.335 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:46:38.530Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/38eaf4be-5083-46fe-b586-e4be190dc9cc?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3377192%40colibri-page-builder\u0026new=3377192%40colibri-page-builder\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-12-12T15:37:12.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Colibri Page Builder \u003c= 1.0.335 - Authenticated (Contributor+) Stored Cross-Site Scripting"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-11376",
        "datePublished": "2025-12-13T04:31:23.715Z",
        "dateReserved": "2025-10-06T15:39:21.973Z",
        "dateUpdated": "2026-04-08T16:46:38.530Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-9560 (GCVE-0-2025-9560)

    Vulnerability from cvelistv5 – Published: 2025-10-11 02:24 – Updated: 2026-04-08 16:35
    VLAI
    Title
    Colibri Page Builder <= 1.0.334 - Authenticated (Contributor+) Stored Cross-Site Scripting via colibri_newsletter Shortcode
    Summary
    The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's colibri_newsletter shortcode in all versions up to, and including, 1.0.334 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    extendthemes Colibri Page Builder Affected: 0 , ≤ 1.0.334 (semver)
    Create a notification for this product.
    Credits
    Muhammad Yudha - DJ
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-9560",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-14T13:42:31.521032Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-14T14:15:07.490Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Colibri Page Builder",
              "vendor": "extendthemes",
              "versions": [
                {
                  "lessThanOrEqual": "1.0.334",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Muhammad Yudha - DJ"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s colibri_newsletter shortcode in all versions up to, and including, 1.0.334 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:35:35.816Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0ef1679f-44ec-448a-a77b-489ac9bfaa7a?source=cve"
            },
            {
              "url": "https://wordpress.org/plugins/colibri-page-builder/#developers"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3373432/colibri-page-builder/trunk/extend-builder/shortcodes/newsletter.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-10-10T14:09:28.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Colibri Page Builder \u003c= 1.0.334 - Authenticated (Contributor+) Stored Cross-Site Scripting via colibri_newsletter Shortcode"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-9560",
        "datePublished": "2025-10-11T02:24:51.813Z",
        "dateReserved": "2025-08-27T20:15:51.490Z",
        "dateUpdated": "2026-04-08T16:35:35.816Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-5020 (GCVE-0-2024-5020)

    Vulnerability from cvelistv5 – Published: 2024-12-04 08:22 – Updated: 2026-04-08 17:27
    VLAI
    Title
    Multiple Plugins <= (Various Versions) - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via FancyBox JavaScript Library
    Summary
    Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled FancyBox JavaScript library (versions 1.3.4 to 3.5.7) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    extendthemes Colibri Page Builder Affected: 0 , ≤ 1.0.286 (semver)
    Create a notification for this product.
    smub Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More Affected: 0 , ≤ 1.8.15 (semver)
    Create a notification for this product.
    bqworks Accordion Slider Affected: 0 , ≤ 1.9.12 (semver)
    Create a notification for this product.
    10web Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder Affected: 0 , ≤ 1.15.27 (semver)
    Create a notification for this product.
    jetmonsters Getwid – Gutenberg Blocks Affected: 0 , ≤ 2.0.11 (semver)
    Create a notification for this product.
    firelightwp Firelight Lightbox Affected: 0 , ≤ 2.3.3 (semver)
    Create a notification for this product.
    dfactory Responsive Lightbox & Gallery Affected: 0 , ≤ 2.4.8 (semver)
    Create a notification for this product.
    shapedplugin Carousel, Slider, Photo Gallery with Lightbox, Video Slider, by WP Carousel Affected: 0 , ≤ 2.6.8 (semver)
    Create a notification for this product.
    colorlibplugins FancyBox for WordPress Affected: 0 , ≤ 3.3.4 (semver)
    Create a notification for this product.
    nko Visual Portfolio, Photo Gallery & Post Grid Affected: 0 , ≤ 3.3.9 (semver)
    Create a notification for this product.
    smub Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery Affected: 0 , ≤ 3.59.4 (semver)
    Create a notification for this product.
    wpclever WPC Smart Quick View for WooCommerce Affected: 0 , ≤ 4.1.1 (semver)
    Create a notification for this product.
    posimyththemes Nexter Blocks – Gutenberg Blocks, Page Builder & AI Website Builder Affected: 0 , ≤ 4.3.1 (semver)
    Create a notification for this product.
    Easy Social Feed Easy Social Feed Premium Affected: 0 , ≤ 6.6.2 (semver)
    Create a notification for this product.
    foliovision FV Flowplayer Video Player Affected: 0 , ≤ 7.5.47.7212 (semver)
    Create a notification for this product.
    Credits
    Craig Smith
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-5020",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-04T14:02:27.273797Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-04T14:09:09.188Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Colibri Page Builder",
              "vendor": "extendthemes",
              "versions": [
                {
                  "lessThanOrEqual": "1.0.286",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Envira Gallery \u2013 Image Photo Gallery, Albums, Video Gallery, Slideshows \u0026 More",
              "vendor": "smub",
              "versions": [
                {
                  "lessThanOrEqual": "1.8.15",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Accordion Slider",
              "vendor": "bqworks",
              "versions": [
                {
                  "lessThanOrEqual": "1.9.12",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Form Maker by 10Web \u2013 Mobile-Friendly Drag \u0026 Drop Contact Form Builder",
              "vendor": "10web",
              "versions": [
                {
                  "lessThanOrEqual": "1.15.27",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Getwid \u2013 Gutenberg Blocks",
              "vendor": "jetmonsters",
              "versions": [
                {
                  "lessThanOrEqual": "2.0.11",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Firelight Lightbox",
              "vendor": "firelightwp",
              "versions": [
                {
                  "lessThanOrEqual": "2.3.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Responsive Lightbox \u0026 Gallery",
              "vendor": "dfactory",
              "versions": [
                {
                  "lessThanOrEqual": "2.4.8",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Carousel, Slider, Photo Gallery with Lightbox, Video Slider, by WP Carousel",
              "vendor": "shapedplugin",
              "versions": [
                {
                  "lessThanOrEqual": "2.6.8",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "FancyBox for WordPress",
              "vendor": "colorlibplugins",
              "versions": [
                {
                  "lessThanOrEqual": "3.3.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Visual Portfolio, Photo Gallery \u0026 Post Grid",
              "vendor": "nko",
              "versions": [
                {
                  "lessThanOrEqual": "3.3.9",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Photo Gallery, Sliders, Proofing and Themes \u2013 NextGEN Gallery",
              "vendor": "smub",
              "versions": [
                {
                  "lessThanOrEqual": "3.59.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WPC Smart Quick View for WooCommerce",
              "vendor": "wpclever",
              "versions": [
                {
                  "lessThanOrEqual": "4.1.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Nexter Blocks \u2013 Gutenberg Blocks, Page Builder \u0026 AI Website Builder",
              "vendor": "posimyththemes",
              "versions": [
                {
                  "lessThanOrEqual": "4.3.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Easy Social Feed Premium",
              "vendor": "Easy Social Feed",
              "versions": [
                {
                  "lessThanOrEqual": "6.6.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "FV Flowplayer Video Player",
              "vendor": "foliovision",
              "versions": [
                {
                  "lessThanOrEqual": "7.5.47.7212",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Craig Smith"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin\u0027s bundled FancyBox JavaScript library (versions 1.3.4 to 3.5.7) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:27:10.759Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d99d4b9a-aa09-434d-91a8-7afaa0e8b5db?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3150376/woo-smart-quick-view"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3153081/colibri-page-builder"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3157076/nextgen-gallery"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3158415/envira-gallery-lite"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3156791/form-maker"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3160432/visual-portfolio"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3161422/fv-wordpress-flowplayer"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3160232/easy-fancybox"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3161892/wp-carousel-free"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3173097/responsive-lightbox"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3175577%40getwid%2Ftrunk\u0026old=3119180%40getwid%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3186301%40fancybox-for-wordpress%2Ftrunk\u0026old=3058912%40fancybox-for-wordpress%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3169926/accordion-slider"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3306189%40the-plus-addons-for-block-editor\u0026new=3306189%40the-plus-addons-for-block-editor\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-06-13T17:22:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2024-12-03T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Multiple Plugins \u003c= (Various Versions) - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via FancyBox JavaScript Library"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-5020",
        "datePublished": "2024-12-04T08:22:46.855Z",
        "dateReserved": "2024-05-16T16:50:11.363Z",
        "dateUpdated": "2026-04-08T17:27:10.759Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-4451 (GCVE-0-2024-4451)

    Vulnerability from cvelistv5 – Published: 2024-06-07 06:52 – Updated: 2026-04-08 16:34
    VLAI
    Title
    Colibri Page Builder <= 1.0.276 - Authenticated (Contributor+) Stored Cross-Site Scripting via colibri_video_player Shortcode
    Summary
    The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's colibri_video_player shortcode in all versions up to, and including, 1.0.276 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    extendthemes Colibri Page Builder Affected: 0 , ≤ 1.0.276 (semver)
    Create a notification for this product.
    extendthemes colibri_page_builder Affected: 0 , ≤ 1.0.276 (semver)
        cpe:2.3:a:extendthemes:colibri_page_builder:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Ngô Thiên An
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:extendthemes:colibri_page_builder:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "colibri_page_builder",
                "vendor": "extendthemes",
                "versions": [
                  {
                    "lessThanOrEqual": "1.0.276",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-4451",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-07T15:42:38.573719Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-07T15:48:16.311Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T20:40:47.151Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0afd981e-3ae8-4450-9750-23ff6fe612dc?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/3097694/colibri-page-builder/trunk/extend-builder/shortcodes/video.php"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Colibri Page Builder",
              "vendor": "extendthemes",
              "versions": [
                {
                  "lessThanOrEqual": "1.0.276",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Ng\u00f4 Thi\u00ean An"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s colibri_video_player shortcode in all versions up to, and including, 1.0.276 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:34:47.674Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0afd981e-3ae8-4450-9750-23ff6fe612dc?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3097694/colibri-page-builder/trunk/extend-builder/shortcodes/video.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-05-06T00:00:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2024-06-06T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Colibri Page Builder \u003c= 1.0.276 - Authenticated (Contributor+) Stored Cross-Site Scripting via colibri_video_player Shortcode"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-4451",
        "datePublished": "2024-06-07T06:52:21.626Z",
        "dateReserved": "2024-05-02T22:04:24.505Z",
        "dateUpdated": "2026-04-08T16:34:47.674Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-5038 (GCVE-0-2024-5038)

    Vulnerability from cvelistv5 – Published: 2024-06-06 11:03 – Updated: 2026-04-08 16:34
    VLAI
    Title
    Colibri Page Builder <= 1.0.276 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
    Summary
    The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 1.0.276 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    extendthemes Colibri Page Builder Affected: 0 , ≤ 1.0.276 (semver)
    Create a notification for this product.
    Credits
    Ngô Thiên An
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-5038",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-06T13:22:26.333962Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-06T13:22:32.888Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T21:03:10.411Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/08159865-1411-4a07-b5db-f4ba5bf2d633?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/colibri-page-builder/trunk/extend-builder/shortcodes/blog/post-item.php#L132"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/3097694/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Colibri Page Builder",
              "vendor": "extendthemes",
              "versions": [
                {
                  "lessThanOrEqual": "1.0.276",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Ng\u00f4 Thi\u00ean An"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s shortcode(s) in all versions up to, and including, 1.0.276 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:34:08.354Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/08159865-1411-4a07-b5db-f4ba5bf2d633?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/colibri-page-builder/trunk/extend-builder/shortcodes/blog/post-item.php#L132"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3097694/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-06-05T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Colibri Page Builder \u003c= 1.0.276 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-5038",
        "datePublished": "2024-06-06T11:03:02.821Z",
        "dateReserved": "2024-05-16T22:05:58.396Z",
        "dateUpdated": "2026-04-08T16:34:08.354Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-3340 (GCVE-0-2024-3340)

    Vulnerability from cvelistv5 – Published: 2024-05-02 16:52 – Updated: 2026-04-08 17:33
    VLAI
    Title
    Colibri Page Builder <= 1.0.272 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'colibri-gallery-slideshow' Shortcode
    Summary
    The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'colibri-gallery-slideshow' shortcode in all versions up to, and including, 1.0.272 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    extendthemes Colibri Page Builder Affected: 0 , ≤ 1.0.272 (semver)
    Create a notification for this product.
    Credits
    Ngô Thiên An
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-3340",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-02T19:21:46.708424Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:32:57.909Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T20:05:08.413Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f5ba832e-98bc-421d-9b60-e6260c408815?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/3074785/colibri-page-builder/trunk/extend-builder/shortcodes/index.php"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Colibri Page Builder",
              "vendor": "extendthemes",
              "versions": [
                {
                  "lessThanOrEqual": "1.0.272",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Ng\u00f4 Thi\u00ean An"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s \u0027colibri-gallery-slideshow\u0027 shortcode in all versions up to, and including, 1.0.272 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:33:23.477Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f5ba832e-98bc-421d-9b60-e6260c408815?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3074785/colibri-page-builder/trunk/extend-builder/shortcodes/index.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-04-22T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Colibri Page Builder \u003c= 1.0.272 - Authenticated (Contributor+) Stored Cross-Site Scripting via \u0027colibri-gallery-slideshow\u0027 Shortcode"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-3340",
        "datePublished": "2024-05-02T16:52:52.335Z",
        "dateReserved": "2024-04-04T19:33:38.309Z",
        "dateUpdated": "2026-04-08T17:33:23.477Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-3337 (GCVE-0-2024-3337)

    Vulnerability from cvelistv5 – Published: 2024-05-02 16:52 – Updated: 2026-04-08 17:16
    VLAI
    Title
    Colibri Page Builder <= 1.0.272 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'colibri_breadcrumb_element' Shortcode
    Summary
    The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'colibri_breadcrumb_element' shortcode in all versions up to, and including, 1.0.272 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    extendthemes Colibri Page Builder Affected: 0 , ≤ 1.0.272 (semver)
    Create a notification for this product.
    Credits
    Matthew Rollings
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-3337",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-09T19:15:10.177001Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:32:58.733Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T20:05:08.405Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b2ae4226-0089-47fb-87b9-94e9faf764e4?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/3074785/colibri-page-builder/trunk/extend-builder/shortcodes/breadcrumb.php"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Colibri Page Builder",
              "vendor": "extendthemes",
              "versions": [
                {
                  "lessThanOrEqual": "1.0.272",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Matthew Rollings"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s \u0027colibri_breadcrumb_element\u0027 shortcode in all versions up to, and including, 1.0.272 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:16:30.172Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b2ae4226-0089-47fb-87b9-94e9faf764e4?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3074785/colibri-page-builder/trunk/extend-builder/shortcodes/breadcrumb.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-04-22T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Colibri Page Builder \u003c= 1.0.272 - Authenticated (Contributor+) Stored Cross-Site Scripting via \u0027colibri_breadcrumb_element\u0027 Shortcode"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-3337",
        "datePublished": "2024-05-02T16:52:32.076Z",
        "dateReserved": "2024-04-04T19:21:13.997Z",
        "dateUpdated": "2026-04-08T17:16:30.172Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-3338 (GCVE-0-2024-3338)

    Vulnerability from cvelistv5 – Published: 2024-05-02 16:51 – Updated: 2026-04-08 16:46
    VLAI
    Title
    Colibri Page Builder <= 1.0.262 - Authenticated (Author+) Stored Cross-Site Scripting
    Summary
    The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image alt data parameter in all versions up to, and including, 1.0.262 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    extendthemes Colibri Page Builder Affected: 0 , ≤ 1.0.262 (semver)
    Create a notification for this product.
    Credits
    Matthew Rollings
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-3338",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-06T19:17:08.934024Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:31:24.444Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T20:05:08.410Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3a066eae-4040-4d76-b730-47d98dc37662?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/3074785/colibri-page-builder/trunk/extend-builder/extend-builder.php"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Colibri Page Builder",
              "vendor": "extendthemes",
              "versions": [
                {
                  "lessThanOrEqual": "1.0.262",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Matthew Rollings"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image alt data parameter in all versions up to, and including, 1.0.262 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:46:55.712Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3a066eae-4040-4d76-b730-47d98dc37662?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3074785/colibri-page-builder/trunk/extend-builder/extend-builder.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-04-22T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Colibri Page Builder \u003c= 1.0.262 - Authenticated (Author+) Stored Cross-Site Scripting"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-3338",
        "datePublished": "2024-05-02T16:51:59.650Z",
        "dateReserved": "2024-04-04T19:26:27.387Z",
        "dateUpdated": "2026-04-08T16:46:55.712Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-2839 (GCVE-0-2024-2839)

    Vulnerability from cvelistv5 – Published: 2024-04-02 06:47 – Updated: 2026-04-08 17:21
    VLAI
    Title
    Colibri Page Builder <= 1.0.263 - Authenticated (Contributor+) Stored Cross-Site Scripting
    Summary
    The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'colibri_post_title' shortcode in all versions up to, and including, 1.0.263 due to insufficient input sanitization and output escaping on user supplied attributes such as 'heading_type'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    extendthemes Colibri Page Builder Affected: 0 , ≤ 1.0.263 (semver)
    Create a notification for this product.
    Credits
    Ngô Thiên An Dau Hoang Tai
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-2839",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-04-02T15:34:36.950216Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:30:53.818Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T19:25:42.137Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c9466e5f-d8eb-4de4-a1d2-e5ef15bf1e4e?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/3061940/colibri-page-builder/trunk/extend-builder/shortcodes/blog/post-item.php"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Colibri Page Builder",
              "vendor": "extendthemes",
              "versions": [
                {
                  "lessThanOrEqual": "1.0.263",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Ng\u00f4 Thi\u00ean An"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Dau Hoang Tai"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s \u0027colibri_post_title\u0027 shortcode in all versions up to, and including, 1.0.263 due to insufficient input sanitization and output escaping on user supplied attributes such as \u0027heading_type\u0027. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:21:48.549Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c9466e5f-d8eb-4de4-a1d2-e5ef15bf1e4e?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3061940/colibri-page-builder/trunk/extend-builder/shortcodes/blog/post-item.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-04-01T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Colibri Page Builder \u003c= 1.0.263 - Authenticated (Contributor+) Stored Cross-Site Scripting"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-2839",
        "datePublished": "2024-04-02T06:47:43.668Z",
        "dateReserved": "2024-03-22T19:16:46.881Z",
        "dateUpdated": "2026-04-08T17:21:48.549Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-28004 (GCVE-0-2024-28004)

    Vulnerability from cvelistv5 – Published: 2024-03-28 05:51 – Updated: 2026-04-28 16:09
    VLAI
    Title
    WordPress Colibri Page Builder plugin <= 1.0.248 - Broken Access Control vulnerability
    Summary
    Missing Authorization vulnerability in ExtendThemes Colibri Page Builder.This issue affects Colibri Page Builder: from n/a through 1.0.248.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    ExtendThemes Colibri Page Builder Affected: n/a , ≤ 1.0.248 (custom)
    Create a notification for this product.
    extendthemes colibri_page_builder Affected: 0 , ≤ 1.0.248 (custom)
        cpe:2.3:a:extendthemes:colibri_page_builder:*:*:*:*:*:wordpress:*:*
    Create a notification for this product.
    Credits
    Rafie Muhammad (Patchstack)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T00:41:55.957Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_transferred"
                ],
                "url": "https://patchstack.com/database/vulnerability/colibri-page-builder/wordpress-colibri-page-builder-plugin-1-0-248-broken-access-control-vulnerability?_s_id=cve"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:extendthemes:colibri_page_builder:*:*:*:*:*:wordpress:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "colibri_page_builder",
                "vendor": "extendthemes",
                "versions": [
                  {
                    "lessThanOrEqual": "1.0.248",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-28004",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-04-10T19:42:23.399976Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-11T14:01:46.964Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "colibri-page-builder",
              "product": "Colibri Page Builder",
              "vendor": "ExtendThemes",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "1.0.249",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "1.0.248",
                  "status": "affected",
                  "version": "n/a",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Rafie Muhammad (Patchstack)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Missing Authorization vulnerability in ExtendThemes Colibri Page Builder.\u003cp\u003eThis issue affects Colibri Page Builder: from n/a through 1.0.248.\u003c/p\u003e"
                }
              ],
              "value": "Missing Authorization vulnerability in ExtendThemes Colibri Page Builder.This issue affects Colibri Page Builder: from n/a through 1.0.248."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:09:15.455Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/vulnerability/colibri-page-builder/wordpress-colibri-page-builder-plugin-1-0-248-broken-access-control-vulnerability?_s_id=cve"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update to 1.0.249 or a higher version."
                }
              ],
              "value": "Update to 1.0.249 or a higher version."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WordPress Colibri Page Builder plugin \u003c= 1.0.248 - Broken Access Control vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2024-28004",
        "datePublished": "2024-03-28T05:51:25.338Z",
        "dateReserved": "2024-02-29T06:17:46.688Z",
        "dateUpdated": "2026-04-28T16:09:15.455Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-1870 (GCVE-0-2024-1870)

    Vulnerability from cvelistv5 – Published: 2024-03-09 09:37 – Updated: 2026-04-08 16:36
    VLAI
    Title
    Colibri Page Builder <= 1.0.260 - Missing Authorization
    Summary
    The Colibri Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the callActivateLicenseEndpoint function in all versions up to, and including, 1.0.260. This makes it possible for authenticated attackers, with subscriber access or higher, to update the license key.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    extendthemes Colibri Page Builder Affected: 0 , ≤ 1.0.260 (semver)
    Create a notification for this product.
    Credits
    Stacy Purcell
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-1870",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-03-11T15:04:52.588092Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:59:41.084Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T18:56:22.387Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/130637ce-d70a-4831-8b88-a2a6e8a95c42?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/colibri-page-builder/trunk/src/License/ActivationForm.php#L356"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/3045582/colibri-page-builder/trunk/src/License/ActivationForm.php?contextall=1\u0026old=2888093\u0026old_path=%2Fcolibri-page-builder%2Ftrunk%2Fsrc%2FLicense%2FActivationForm.php"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Colibri Page Builder",
              "vendor": "extendthemes",
              "versions": [
                {
                  "lessThanOrEqual": "1.0.260",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Stacy Purcell"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Colibri Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the callActivateLicenseEndpoint function in all versions up to, and including, 1.0.260. This makes it possible for authenticated attackers, with subscriber access or higher, to update the license key."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:36:33.432Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/130637ce-d70a-4831-8b88-a2a6e8a95c42?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/colibri-page-builder/trunk/src/License/ActivationForm.php#L356"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3045582/colibri-page-builder/trunk/src/License/ActivationForm.php?contextall=1\u0026old=2888093\u0026old_path=%2Fcolibri-page-builder%2Ftrunk%2Fsrc%2FLicense%2FActivationForm.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-03-08T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Colibri Page Builder \u003c= 1.0.260 - Missing Authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-1870",
        "datePublished": "2024-03-09T09:37:46.628Z",
        "dateReserved": "2024-02-23T21:59:45.320Z",
        "dateUpdated": "2026-04-08T16:36:33.432Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-1362 (GCVE-0-2024-1362)

    Vulnerability from cvelistv5 – Published: 2024-02-23 11:03 – Updated: 2026-04-08 17:13
    VLAI
    Title
    Colibri Page Builder <= 1.0.253 - Cross-Site Request Fogery via cp_shortcode_refresh
    Summary
    The Colibri Page Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.253. This is due to missing or incorrect nonce validation on the cp_shortcode_refresh() function. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    Impacted products
    Vendor Product Version
    extendthemes Colibri Page Builder Affected: 0 , ≤ 1.0.253 (semver)
    Create a notification for this product.
    Credits
    Lucio Sá
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-1362",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-02-23T14:34:26.733884Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-05T17:21:58.174Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T18:33:25.568Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a5e7a994-c489-4aea-a9bb-898bc92cae4e?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/3039597/colibri-page-builder/trunk/src/PageBuilder.php"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Colibri Page Builder",
              "vendor": "extendthemes",
              "versions": [
                {
                  "lessThanOrEqual": "1.0.253",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Lucio S\u00e1"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Colibri Page Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.253. This is due to missing or incorrect nonce validation on the cp_shortcode_refresh() function. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:13:22.418Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a5e7a994-c489-4aea-a9bb-898bc92cae4e?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3039597/colibri-page-builder/trunk/src/PageBuilder.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-02-22T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Colibri Page Builder \u003c= 1.0.253 - Cross-Site Request Fogery via cp_shortcode_refresh"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-1362",
        "datePublished": "2024-02-23T11:03:46.451Z",
        "dateReserved": "2024-02-08T18:47:18.368Z",
        "dateUpdated": "2026-04-08T17:13:22.418Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-1361 (GCVE-0-2024-1361)

    Vulnerability from cvelistv5 – Published: 2024-02-23 11:03 – Updated: 2026-04-08 16:41
    VLAI
    Title
    Colibri Page Builder <= 1.0.253 - Cross-Site Request Fogery via extend_builder
    Summary
    The Colibri Page Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.253. This is due to missing or incorrect nonce validation on the apiCall() function. This makes it possible for unauthenticated attackers to call a limited set of functions that can be used to import images, delete posts, or save theme data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    Impacted products
    Vendor Product Version
    extendthemes Colibri Page Builder Affected: 0 , ≤ 1.0.253 (semver)
    Create a notification for this product.
    Credits
    Lucio Sá
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-1361",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-02-23T16:57:53.359194Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T18:00:32.897Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T18:33:25.582Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/233a29f5-12bf-4849-9b28-4458a0b0c940?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/3039597/colibri-page-builder/trunk/extend-builder/api/api.php"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Colibri Page Builder",
              "vendor": "extendthemes",
              "versions": [
                {
                  "lessThanOrEqual": "1.0.253",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Lucio S\u00e1"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Colibri Page Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.253. This is due to missing or incorrect nonce validation on the apiCall() function. This makes it possible for unauthenticated attackers to call a limited set of functions that can be used to import images, delete posts, or save theme data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:41:54.687Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/233a29f5-12bf-4849-9b28-4458a0b0c940?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3039597/colibri-page-builder/trunk/extend-builder/api/api.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-02-22T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Colibri Page Builder \u003c= 1.0.253 - Cross-Site Request Fogery via extend_builder"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-1361",
        "datePublished": "2024-02-23T11:03:45.823Z",
        "dateReserved": "2024-02-08T18:44:49.179Z",
        "dateUpdated": "2026-04-08T16:41:54.687Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-6988 (GCVE-0-2023-6988)

    Vulnerability from cvelistv5 – Published: 2024-01-11 08:32 – Updated: 2026-04-08 16:44
    VLAI
    Title
    Colibri Page Builder <= 1.0.239 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
    Summary
    The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's extend_builder_render_js shortcode in all versions up to, and including, 1.0.239 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    extendthemes Colibri Page Builder Affected: 0 , ≤ 1.0.239 (semver)
    Create a notification for this product.
    Credits
    Hung -mov Nguyen
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T08:50:08.246Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/300b24af-10a1-45b9-87ec-7c98dc94e76b?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.svn.wordpress.org/colibri-page-builder/trunk/extend-builder/shortcodes/render-js.php"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3013337%40colibri-page-builder\u0026new=3013337%40colibri-page-builder\u0026sfp_email=\u0026sfph_mail="
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-6988",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-08T15:55:55.728672Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-79",
                    "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-03T14:10:00.788Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Colibri Page Builder",
              "vendor": "extendthemes",
              "versions": [
                {
                  "lessThanOrEqual": "1.0.239",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Hung -mov Nguyen"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s extend_builder_render_js shortcode in all versions up to, and including, 1.0.239 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:44:45.956Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/300b24af-10a1-45b9-87ec-7c98dc94e76b?source=cve"
            },
            {
              "url": "https://plugins.svn.wordpress.org/colibri-page-builder/trunk/extend-builder/shortcodes/render-js.php"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3013337%40colibri-page-builder\u0026new=3013337%40colibri-page-builder\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2023-12-23T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Colibri Page Builder \u003c= 1.0.239 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2023-6988",
        "datePublished": "2024-01-11T08:32:30.935Z",
        "dateReserved": "2023-12-20T09:38:11.029Z",
        "dateUpdated": "2026-04-08T16:44:45.956Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }