CVE-2025-62748
📋 TL;DR
This DOM-based XSS vulnerability in Genetech Products' Web and WooCommerce Addons for WPBakery Builder allows attackers to inject malicious scripts that execute in users' browsers when they visit compromised pages. It affects WordPress sites using this plugin up to version 1.5. Attackers can steal session cookies, redirect users, or perform actions on their behalf.
💻 Affected Systems
- Web and WooCommerce Addons for WPBakery Builder
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session cookies, gain full control of WordPress site, install backdoors, deface website, or steal sensitive customer data from WooCommerce stores.
Likely Case
Attackers steal user session cookies, redirect visitors to malicious sites, or perform limited actions within the compromised user's context.
If Mitigated
With proper input validation and output encoding, malicious scripts are neutralized before reaching users' browsers.
🎯 Exploit Status
DOM-based XSS typically requires user interaction but can be exploited via crafted links or stored payloads.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.6 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Web and WooCommerce Addons for WPBakery Builder'. 4. Click 'Update Now' if update available. 5. If no update, download version 1.6+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily disable the affected plugin until patched
wp plugin deactivate vc-addons-by-bit14
Implement Content Security Policy
allAdd CSP headers to restrict script execution sources
Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Add to wp-config.php: header("Content-Security-Policy: default-src 'self'; script-src 'self'");
🧯 If You Can't Patch
- Implement WAF rules to block XSS payloads in requests
- Disable user input fields that trigger the DOM manipulation
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins > Installed PluginsCheck Version:
wp plugin get vc-addons-by-bit14 --field=versionVerify Fix Applied:
Verify plugin version is 1.6 or higher after update📡 Detection & Monitoring
Log Indicators:
- Unusual POST/GET requests with script tags or JavaScript payloads to plugin endpoints
- Multiple failed login attempts after visiting specific pages
Network Indicators:
- Outbound connections to suspicious domains from user browsers after visiting site pages
- Unexpected redirects in HTTP traffic
SIEM Query:
source="web_access" AND (uri="*vc-addons*" OR uri="*wp-content/plugins/vc-addons*") AND (request="*<script>*" OR request="*javascript:*" OR request="*onload=*" OR request="*onerror=*")