CVE-2025-11747
📋 TL;DR
The Colibri Page Builder WordPress plugin has a stored XSS vulnerability that allows authenticated attackers with contributor-level access or higher to inject malicious scripts into pages. These scripts execute whenever users view the compromised pages, potentially stealing credentials or performing unauthorized actions. All WordPress sites using this plugin up to version 1.0.345 are affected.
💻 Affected Systems
- Colibri Page Builder WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, take over the WordPress site, deface pages, redirect users to malicious sites, or install backdoors for persistent access.
Likely Case
Attackers with contributor accounts inject malicious scripts to steal user session cookies, redirect visitors to phishing sites, or display unwanted advertisements.
If Mitigated
With proper user access controls and content security policies, impact is limited to defacement of specific pages rather than full site compromise.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once an attacker has contributor privileges. The vulnerability is in a shortcode handler that doesn't properly sanitize user input.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.346 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3421590/colibri-page-builder/trunk/extend-builder/shortcodes/blog-posts.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Colibri Page Builder and click 'Update Now'. 4. Verify the plugin version is 1.0.346 or higher.
🔧 Temporary Workarounds
Remove Contributor Access
allTemporarily remove contributor-level access for untrusted users until patching is complete.
Implement Content Security Policy
linuxAdd a restrictive CSP header to prevent script execution from unauthorized sources.
Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://trusted-cdn.com;"
🧯 If You Can't Patch
- Disable the Colibri Page Builder plugin entirely until patching is possible
- Implement strict user access controls and audit all contributor-level accounts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins → Colibri Page Builder version. If version is 1.0.345 or lower, you are vulnerable.Check Version:
wp plugin list --name=colibri-page-builder --field=versionVerify Fix Applied:
After updating, verify the plugin version shows 1.0.346 or higher in the WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with colibri_blog_posts parameters
- Multiple page edits by contributor-level users in short timeframes
Network Indicators:
- External script loads from unexpected domains in page responses
- Suspicious JavaScript in page source containing colibri_blog_posts attributes
SIEM Query:
source="wordpress.log" AND ("colibri_blog_posts" OR "colibri-page-builder") AND ("POST" OR "update")🔗 References
- https://plugins.trac.wordpress.org/browser/colibri-page-builder/trunk/extend-builder/shortcodes/blog-posts.php#L251
- https://plugins.trac.wordpress.org/changeset/3421590/colibri-page-builder/trunk/extend-builder/shortcodes/blog-posts.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e3305b39-5f7b-493b-80b5-cb925c2710c1?source=cve
