Vulnerabilities and security researches forwc-builder wc-builder

Jun 07, 2024

CVE, Research URL: CVE-2024-29926
Home page URL: Security reports for WC Builder – WooCommerce Page Builder for WPBakery
Application: WC Builder – WooCommerce Page Builder for WPBakery
Date: Mar 27, 2024
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HasThemes WC Builder allows Stored XSS.This issue affects WC Builder: from n/a through 1.0.18.
Affected versions: max 1.0.19.
Status: vulnerable

Jan 11, 2026

CVE, Research URL: CVE-2025-68533
Home page URL: Security reports for WC Builder – WooCommerce Page Builder for WPBakery
Application: WC Builder – WooCommerce Page Builder for WPBakery
Date: Dec 24, 2025
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HasThemes WC Builder wc-builder allows Stored XSS.This issue affects WC Builder: from n/a through <= 1.2.0.
Affected versions: max 1.2.0.
Status: vulnerable

CVE, Research URL: CVE-2025-14054
Home page URL: Security reports for WC Builder – WooCommerce Page Builder for WPBakery
Application: WC Builder – WooCommerce Page Builder for WPBakery
Date: Dec 21, 2025
Research Description: The WC Builder – WooCommerce Page Builder for WPBakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'heading_color' parameter (and multiple other styling parameters) of the `wpbforwpbakery_product_additional_information` shortcode in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 1.2.1.
Status: vulnerable