Search criteria
8 vulnerabilities found for wp_page_builder by themeum
CVE-2022-3830 (GCVE-0-2022-3830)
Vulnerability from nvd – Published: 2022-12-05 16:50 – Updated: 2025-04-24 13:22
VLAI
Title
WP Page Builder <= 1.2.8 - Admin+ Stored Cross-Site
Summary
The WP Page Builder WordPress plugin through 1.2.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Severity
4.8 (Medium)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://wpscan.com/vulnerability/98b2321d-fb66-4e… | exploitvdb-entrytechnical-description |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Unknown | WP Page Builder |
Affected:
0 , ≤ 1.2.8
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:20:58.335Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/98b2321d-fb66-4e02-9906-63af7b08d647"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-3830",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-24T13:22:02.940330Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-24T13:22:41.136Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "affected",
"product": "WP Page Builder",
"vendor": "Unknown",
"versions": [
{
"lessThanOrEqual": "1.2.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Vaibhav Koli"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Page Builder WordPress plugin through 1.2.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Cross-Site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-05T16:50:33.163Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/98b2321d-fb66-4e02-9906-63af7b08d647"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WP Page Builder \u003c= 1.2.8 - Admin+ Stored Cross-Site",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-3830",
"datePublished": "2022-12-05T16:50:33.163Z",
"dateReserved": "2022-11-02T09:42:40.880Z",
"dateUpdated": "2025-04-24T13:22:41.136Z",
"requesterUserId": "dc9e157c-ddf1-4983-adaf-9f01d16b5e04",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-40963 (GCVE-0-2022-40963)
Vulnerability from nvd – Published: 2022-11-18 22:19 – Updated: 2026-04-28 16:07
VLAI
Title
WordPress WP Page Builder plugin <= 1.2.6 - Multiple Auth. Stored Cross-Site Scripting (XSS) vulnerabilities
Summary
Multiple Auth. (author+) Stored Cross-Site Scripting (XSS) vulnerabilities in WP Page Builder plugin <= 1.2.6 on WordPress.
Severity
4.8 (Medium)
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Themeum | WP Page Builder (WordPress plugin) |
Affected:
<= 1.2.6 , ≤ 1.2.6
(custom)
|
Date Public
2022-10-21 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:28:42.971Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/wp-pagebuilder/wordpress-wp-page-builder-plugin-1-2-6-multiple-auth-stored-cross-site-scripting-xss-vulnerabilities?_s_id=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/plugins/wp-pagebuilder/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WP Page Builder (WordPress plugin)",
"vendor": "Themeum",
"versions": [
{
"lessThanOrEqual": "1.2.6",
"status": "affected",
"version": "\u003c= 1.2.6",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vulnerability discovered by Ngo Van Thien (Patchstack Alliance)"
}
],
"datePublic": "2022-10-21T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Multiple Auth. (author+) Stored Cross-Site Scripting (XSS) vulnerabilities in WP Page Builder plugin \u003c= 1.2.6 on WordPress."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:07:49.256Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"url": "https://patchstack.com/database/vulnerability/wp-pagebuilder/wordpress-wp-page-builder-plugin-1-2-6-multiple-auth-stored-cross-site-scripting-xss-vulnerabilities?_s_id=cve"
},
{
"url": "https://wordpress.org/plugins/wp-pagebuilder/"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 1.2.7 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress WP Page Builder plugin \u003c= 1.2.6 - Multiple Auth. Stored Cross-Site Scripting (XSS) vulnerabilities",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2022-40963",
"datePublished": "2022-11-18T22:19:45.378Z",
"dateReserved": "2022-10-19T00:00:00.000Z",
"dateUpdated": "2026-04-28T16:07:49.256Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-24208 (GCVE-0-2021-24208)
Vulnerability from nvd – Published: 2021-04-05 18:27 – Updated: 2024-08-03 19:21
VLAI
Title
WP Page Builder < 1.2.4 - Multiple Stored Cross-Site scripting (XSS)
Summary
The editor of the WP Page Builder WordPress plugin before 1.2.4 allows lower-privileged users to insert unfiltered HTML, including JavaScript, into pages via the “Raw HTML” widget and the “Custom HTML” widgets (though the custom HTML widget requires sending a crafted request - it appears that this widget uses some form of client side validation but not server side validation), all of which are added via the “page_builder_data” parameter when performing the “wppb_page_save” AJAX action. It is also possible to insert malicious JavaScript via the “wppb_page_css” parameter (this can be done by closing out the style tag and opening a script tag) when performing the “wppb_page_save” AJAX action.
Severity
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.themeum.com/wp-page-builder-updated-v1-2-4/ | x_refsource_MISC |
| https://wpscan.com/vulnerability/c20e243d-b0de-4a… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Unknown | WP Page Builder |
Affected:
1.2.4 , < 1.2.4
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:21:18.776Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.themeum.com/wp-page-builder-updated-v1-2-4/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/c20e243d-b0de-4ae5-9a0d-b9d02c9b8141"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WP Page Builder",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.2.4",
"status": "affected",
"version": "1.2.4",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Ramuel Gall"
}
],
"descriptions": [
{
"lang": "en",
"value": "The editor of the WP Page Builder WordPress plugin before 1.2.4 allows lower-privileged users to insert unfiltered HTML, including JavaScript, into pages via the \u201cRaw HTML\u201d widget and the \u201cCustom HTML\u201d widgets (though the custom HTML widget requires sending a crafted request - it appears that this widget uses some form of client side validation but not server side validation), all of which are added via the \u201cpage_builder_data\u201d parameter when performing the \u201cwppb_page_save\u201d AJAX action. It is also possible to insert malicious JavaScript via the \u201cwppb_page_css\u201d parameter (this can be done by closing out the style tag and opening a script tag) when performing the \u201cwppb_page_save\u201d AJAX action."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-05T18:27:46.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.themeum.com/wp-page-builder-updated-v1-2-4/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/c20e243d-b0de-4ae5-9a0d-b9d02c9b8141"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "WP Page Builder \u003c 1.2.4 - Multiple Stored Cross-Site scripting (XSS)",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24208",
"STATE": "PUBLIC",
"TITLE": "WP Page Builder \u003c 1.2.4 - Multiple Stored Cross-Site scripting (XSS)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WP Page Builder",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.2.4",
"version_value": "1.2.4"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Ramuel Gall"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The editor of the WP Page Builder WordPress plugin before 1.2.4 allows lower-privileged users to insert unfiltered HTML, including JavaScript, into pages via the \u201cRaw HTML\u201d widget and the \u201cCustom HTML\u201d widgets (though the custom HTML widget requires sending a crafted request - it appears that this widget uses some form of client side validation but not server side validation), all of which are added via the \u201cpage_builder_data\u201d parameter when performing the \u201cwppb_page_save\u201d AJAX action. It is also possible to insert malicious JavaScript via the \u201cwppb_page_css\u201d parameter (this can be done by closing out the style tag and opening a script tag) when performing the \u201cwppb_page_save\u201d AJAX action."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.themeum.com/wp-page-builder-updated-v1-2-4/",
"refsource": "MISC",
"url": "https://www.themeum.com/wp-page-builder-updated-v1-2-4/"
},
{
"name": "https://wpscan.com/vulnerability/c20e243d-b0de-4ae5-9a0d-b9d02c9b8141",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/c20e243d-b0de-4ae5-9a0d-b9d02c9b8141"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24208",
"datePublished": "2021-04-05T18:27:46.000Z",
"dateReserved": "2021-01-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T19:21:18.776Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24207 (GCVE-0-2021-24207)
Vulnerability from nvd – Published: 2021-04-05 18:27 – Updated: 2024-08-03 19:21
VLAI
Title
WP Page Builder < 1.2.4 - Insecure default configuration Allows Subscribers Editing Access to Posts
Summary
By default, the WP Page Builder WordPress plugin before 1.2.4 allows subscriber-level users to edit and make changes to any and all posts pages - user roles must be specifically blocked from editing posts and pages.
Severity
No CVSS data available.
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://wpscan.com/vulnerability/21e7a46f-e9a3-4b… | x_refsource_CONFIRM |
| https://www.themeum.com/wp-page-builder-updated-v1-2-4/ | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Unknown | WP Page Builder |
Affected:
1.2.4 , < 1.2.4
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:21:18.845Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/21e7a46f-e9a3-4b20-b44a-a5b6ce7b7ce6"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.themeum.com/wp-page-builder-updated-v1-2-4/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WP Page Builder",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.2.4",
"status": "affected",
"version": "1.2.4",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Ramuel Gall"
}
],
"descriptions": [
{
"lang": "en",
"value": "By default, the WP Page Builder WordPress plugin before 1.2.4 allows subscriber-level users to edit and make changes to any and all posts pages - user roles must be specifically blocked from editing posts and pages."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-05T18:27:46.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/21e7a46f-e9a3-4b20-b44a-a5b6ce7b7ce6"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.themeum.com/wp-page-builder-updated-v1-2-4/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "WP Page Builder \u003c 1.2.4 - Insecure default configuration Allows Subscribers Editing Access to Posts",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24207",
"STATE": "PUBLIC",
"TITLE": "WP Page Builder \u003c 1.2.4 - Insecure default configuration Allows Subscribers Editing Access to Posts"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WP Page Builder",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.2.4",
"version_value": "1.2.4"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Ramuel Gall"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "By default, the WP Page Builder WordPress plugin before 1.2.4 allows subscriber-level users to edit and make changes to any and all posts pages - user roles must be specifically blocked from editing posts and pages."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-863 Incorrect Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/21e7a46f-e9a3-4b20-b44a-a5b6ce7b7ce6",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/21e7a46f-e9a3-4b20-b44a-a5b6ce7b7ce6"
},
{
"name": "https://www.themeum.com/wp-page-builder-updated-v1-2-4/",
"refsource": "MISC",
"url": "https://www.themeum.com/wp-page-builder-updated-v1-2-4/"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24207",
"datePublished": "2021-04-05T18:27:46.000Z",
"dateReserved": "2021-01-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T19:21:18.845Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3830 (GCVE-0-2022-3830)
Vulnerability from cvelistv5 – Published: 2022-12-05 16:50 – Updated: 2025-04-24 13:22
VLAI
Title
WP Page Builder <= 1.2.8 - Admin+ Stored Cross-Site
Summary
The WP Page Builder WordPress plugin through 1.2.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Severity
4.8 (Medium)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://wpscan.com/vulnerability/98b2321d-fb66-4e… | exploitvdb-entrytechnical-description |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Unknown | WP Page Builder |
Affected:
0 , ≤ 1.2.8
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:20:58.335Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/98b2321d-fb66-4e02-9906-63af7b08d647"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-3830",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-24T13:22:02.940330Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-24T13:22:41.136Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "affected",
"product": "WP Page Builder",
"vendor": "Unknown",
"versions": [
{
"lessThanOrEqual": "1.2.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Vaibhav Koli"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Page Builder WordPress plugin through 1.2.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Cross-Site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-05T16:50:33.163Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/98b2321d-fb66-4e02-9906-63af7b08d647"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WP Page Builder \u003c= 1.2.8 - Admin+ Stored Cross-Site",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-3830",
"datePublished": "2022-12-05T16:50:33.163Z",
"dateReserved": "2022-11-02T09:42:40.880Z",
"dateUpdated": "2025-04-24T13:22:41.136Z",
"requesterUserId": "dc9e157c-ddf1-4983-adaf-9f01d16b5e04",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-40963 (GCVE-0-2022-40963)
Vulnerability from cvelistv5 – Published: 2022-11-18 22:19 – Updated: 2026-04-28 16:07
VLAI
Title
WordPress WP Page Builder plugin <= 1.2.6 - Multiple Auth. Stored Cross-Site Scripting (XSS) vulnerabilities
Summary
Multiple Auth. (author+) Stored Cross-Site Scripting (XSS) vulnerabilities in WP Page Builder plugin <= 1.2.6 on WordPress.
Severity
4.8 (Medium)
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Themeum | WP Page Builder (WordPress plugin) |
Affected:
<= 1.2.6 , ≤ 1.2.6
(custom)
|
Date Public
2022-10-21 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:28:42.971Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/wp-pagebuilder/wordpress-wp-page-builder-plugin-1-2-6-multiple-auth-stored-cross-site-scripting-xss-vulnerabilities?_s_id=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/plugins/wp-pagebuilder/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WP Page Builder (WordPress plugin)",
"vendor": "Themeum",
"versions": [
{
"lessThanOrEqual": "1.2.6",
"status": "affected",
"version": "\u003c= 1.2.6",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vulnerability discovered by Ngo Van Thien (Patchstack Alliance)"
}
],
"datePublic": "2022-10-21T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Multiple Auth. (author+) Stored Cross-Site Scripting (XSS) vulnerabilities in WP Page Builder plugin \u003c= 1.2.6 on WordPress."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:07:49.256Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"url": "https://patchstack.com/database/vulnerability/wp-pagebuilder/wordpress-wp-page-builder-plugin-1-2-6-multiple-auth-stored-cross-site-scripting-xss-vulnerabilities?_s_id=cve"
},
{
"url": "https://wordpress.org/plugins/wp-pagebuilder/"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 1.2.7 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress WP Page Builder plugin \u003c= 1.2.6 - Multiple Auth. Stored Cross-Site Scripting (XSS) vulnerabilities",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2022-40963",
"datePublished": "2022-11-18T22:19:45.378Z",
"dateReserved": "2022-10-19T00:00:00.000Z",
"dateUpdated": "2026-04-28T16:07:49.256Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-24208 (GCVE-0-2021-24208)
Vulnerability from cvelistv5 – Published: 2021-04-05 18:27 – Updated: 2024-08-03 19:21
VLAI
Title
WP Page Builder < 1.2.4 - Multiple Stored Cross-Site scripting (XSS)
Summary
The editor of the WP Page Builder WordPress plugin before 1.2.4 allows lower-privileged users to insert unfiltered HTML, including JavaScript, into pages via the “Raw HTML” widget and the “Custom HTML” widgets (though the custom HTML widget requires sending a crafted request - it appears that this widget uses some form of client side validation but not server side validation), all of which are added via the “page_builder_data” parameter when performing the “wppb_page_save” AJAX action. It is also possible to insert malicious JavaScript via the “wppb_page_css” parameter (this can be done by closing out the style tag and opening a script tag) when performing the “wppb_page_save” AJAX action.
Severity
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.themeum.com/wp-page-builder-updated-v1-2-4/ | x_refsource_MISC |
| https://wpscan.com/vulnerability/c20e243d-b0de-4a… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Unknown | WP Page Builder |
Affected:
1.2.4 , < 1.2.4
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:21:18.776Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.themeum.com/wp-page-builder-updated-v1-2-4/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/c20e243d-b0de-4ae5-9a0d-b9d02c9b8141"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WP Page Builder",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.2.4",
"status": "affected",
"version": "1.2.4",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Ramuel Gall"
}
],
"descriptions": [
{
"lang": "en",
"value": "The editor of the WP Page Builder WordPress plugin before 1.2.4 allows lower-privileged users to insert unfiltered HTML, including JavaScript, into pages via the \u201cRaw HTML\u201d widget and the \u201cCustom HTML\u201d widgets (though the custom HTML widget requires sending a crafted request - it appears that this widget uses some form of client side validation but not server side validation), all of which are added via the \u201cpage_builder_data\u201d parameter when performing the \u201cwppb_page_save\u201d AJAX action. It is also possible to insert malicious JavaScript via the \u201cwppb_page_css\u201d parameter (this can be done by closing out the style tag and opening a script tag) when performing the \u201cwppb_page_save\u201d AJAX action."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-05T18:27:46.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.themeum.com/wp-page-builder-updated-v1-2-4/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/c20e243d-b0de-4ae5-9a0d-b9d02c9b8141"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "WP Page Builder \u003c 1.2.4 - Multiple Stored Cross-Site scripting (XSS)",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24208",
"STATE": "PUBLIC",
"TITLE": "WP Page Builder \u003c 1.2.4 - Multiple Stored Cross-Site scripting (XSS)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WP Page Builder",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.2.4",
"version_value": "1.2.4"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Ramuel Gall"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The editor of the WP Page Builder WordPress plugin before 1.2.4 allows lower-privileged users to insert unfiltered HTML, including JavaScript, into pages via the \u201cRaw HTML\u201d widget and the \u201cCustom HTML\u201d widgets (though the custom HTML widget requires sending a crafted request - it appears that this widget uses some form of client side validation but not server side validation), all of which are added via the \u201cpage_builder_data\u201d parameter when performing the \u201cwppb_page_save\u201d AJAX action. It is also possible to insert malicious JavaScript via the \u201cwppb_page_css\u201d parameter (this can be done by closing out the style tag and opening a script tag) when performing the \u201cwppb_page_save\u201d AJAX action."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.themeum.com/wp-page-builder-updated-v1-2-4/",
"refsource": "MISC",
"url": "https://www.themeum.com/wp-page-builder-updated-v1-2-4/"
},
{
"name": "https://wpscan.com/vulnerability/c20e243d-b0de-4ae5-9a0d-b9d02c9b8141",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/c20e243d-b0de-4ae5-9a0d-b9d02c9b8141"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24208",
"datePublished": "2021-04-05T18:27:46.000Z",
"dateReserved": "2021-01-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T19:21:18.776Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24207 (GCVE-0-2021-24207)
Vulnerability from cvelistv5 – Published: 2021-04-05 18:27 – Updated: 2024-08-03 19:21
VLAI
Title
WP Page Builder < 1.2.4 - Insecure default configuration Allows Subscribers Editing Access to Posts
Summary
By default, the WP Page Builder WordPress plugin before 1.2.4 allows subscriber-level users to edit and make changes to any and all posts pages - user roles must be specifically blocked from editing posts and pages.
Severity
No CVSS data available.
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://wpscan.com/vulnerability/21e7a46f-e9a3-4b… | x_refsource_CONFIRM |
| https://www.themeum.com/wp-page-builder-updated-v1-2-4/ | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Unknown | WP Page Builder |
Affected:
1.2.4 , < 1.2.4
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:21:18.845Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/21e7a46f-e9a3-4b20-b44a-a5b6ce7b7ce6"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.themeum.com/wp-page-builder-updated-v1-2-4/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WP Page Builder",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.2.4",
"status": "affected",
"version": "1.2.4",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Ramuel Gall"
}
],
"descriptions": [
{
"lang": "en",
"value": "By default, the WP Page Builder WordPress plugin before 1.2.4 allows subscriber-level users to edit and make changes to any and all posts pages - user roles must be specifically blocked from editing posts and pages."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-05T18:27:46.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/21e7a46f-e9a3-4b20-b44a-a5b6ce7b7ce6"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.themeum.com/wp-page-builder-updated-v1-2-4/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "WP Page Builder \u003c 1.2.4 - Insecure default configuration Allows Subscribers Editing Access to Posts",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24207",
"STATE": "PUBLIC",
"TITLE": "WP Page Builder \u003c 1.2.4 - Insecure default configuration Allows Subscribers Editing Access to Posts"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WP Page Builder",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.2.4",
"version_value": "1.2.4"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Ramuel Gall"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "By default, the WP Page Builder WordPress plugin before 1.2.4 allows subscriber-level users to edit and make changes to any and all posts pages - user roles must be specifically blocked from editing posts and pages."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-863 Incorrect Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/21e7a46f-e9a3-4b20-b44a-a5b6ce7b7ce6",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/21e7a46f-e9a3-4b20-b44a-a5b6ce7b7ce6"
},
{
"name": "https://www.themeum.com/wp-page-builder-updated-v1-2-4/",
"refsource": "MISC",
"url": "https://www.themeum.com/wp-page-builder-updated-v1-2-4/"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24207",
"datePublished": "2021-04-05T18:27:46.000Z",
"dateReserved": "2021-01-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T19:21:18.845Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}