WPBakery Plugin Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the WPBakery plugin for WordPress, affecting versions prior to 6.4.1. This vulnerability allows authenticated users with contributor or author roles to inject malicious JavaScript into posts. The issue arises because the plugin disables WordPress's standard XSS protection for these user roles, enabling the injection of unfiltered HTML and JavaScript.

Impact

Exploitation of this vulnerability allows for authenticated stored cross-site scripting, where injected scripts are executed in the context of the user viewing the post.

Reproduction

To reproduce this vulnerability, an authenticated user with contributor or author permissions can use the WPBakery page builder to edit a post. The 'saveAjaxFe' function will execute, removing WordPress's XSS filtering. This allows the user to inject JavaScript into the post content, which will be executed when the post is viewed.

Remediation

Users are advised to update the WPBakery plugin to version 6.4.1. If the plugin was purchased as part of a theme, contact the theme developer for an updated version.