Volerion logoVolerion
Volerion logoVolerion

WPBakery Page Builder Clipboard WordPress Plugin Stored Cross-Site Scripting Vulnerability

Vulnerability

A stored cross-site scripting vulnerability has been identified in the WPBakery Page Builder Clipboard WordPress plugin, affecting versions prior to 4.5.6. The vulnerability arises from an AJAX action that lacked proper capability checks and data sanitization. This oversight allows low-privilege users (subscribers and above) to inject XSS payloads that are executed on all backend pages.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected page.

Reproduction

To reproduce this vulnerability, log in as a user with a subscriber role or higher. Send a request to 'wp-admin/admin-ajax.php' with the action 'vc_clipboard_activate'. Include a script payload in either the 'email' or 'license_key' parameters. The injected script will be executed on the backend pages.

Remediation

Users are advised to update to WPBakery Page Builder Clipboard version 4.5.6 or later.

Added: May 15, 2026, 11:41 AM
Updated: May 15, 2026, 11:41 AM

Vulnerability Rating

Custom Algorithm
spread
1.0
impact
5.4
exploitability
6.5
remediation
7.7
relevance
0.0
threat
6.4
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.