CVE-2025-10006
📋 TL;DR
The WPBakery Page Builder WordPress plugin has a stored XSS vulnerability in its 'rev_slider_vc' shortcode that allows authenticated attackers with contributor-level access or higher to inject malicious scripts into pages. These scripts execute when users view the compromised pages, potentially stealing session cookies or redirecting users. This affects all versions up to 8.6 when RevSlider is also installed.
💻 Affected Systems
- WPBakery Page Builder for WordPress
📦 What is this software?
Page Builder by Wpbakery
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, take over the WordPress site, install backdoors, or redirect users to malicious sites, leading to complete site compromise and data theft.
Likely Case
Attackers inject malicious JavaScript to steal user session cookies, perform actions on behalf of users, or deface website content.
If Mitigated
With proper input validation and output escaping, malicious scripts would be neutralized, preventing execution and limiting impact to data corruption at most.
🎯 Exploit Status
Requires contributor-level WordPress access and RevSlider plugin installation. Attackers need to create or edit posts/pages using the vulnerable shortcode.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 8.7 or later
Vendor Advisory: https://kb.wpbakery.com/docs/preface/release-notes/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WPBakery Page Builder. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable RevSlider Plugin
allTemporarily deactivate RevSlider plugin to prevent exploitation since vulnerability requires both plugins.
Restrict User Roles
allLimit contributor-level access to trusted users only and implement principle of least privilege.
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block XSS payloads in shortcode attributes
- Regularly audit posts/pages for suspicious shortcode usage and monitor user activity logs
🔍 How to Verify
Check if Vulnerable:
Check WPBakery Page Builder plugin version in WordPress admin under Plugins > Installed Plugins. If version is 8.6 or lower and RevSlider is installed, system is vulnerable.Check Version:
wp plugin list --name=WPBakery --field=version (if WP-CLI installed)Verify Fix Applied:
After updating, verify plugin version shows 8.7 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual post/page edits by contributor-level users
- Suspicious shortcode attributes containing script tags or JavaScript
Network Indicators:
- Unexpected outbound connections from WordPress pages to external domains
SIEM Query:
source="wordpress" AND (event="post_updated" OR event="page_updated") AND user_role="contributor" AND content CONTAINS "rev_slider_vc"