CVE-2025-46488 HIGH

CVE-2025-46488: WordPress Visual Builder plugin <= 1.2.2 - Broken Access Control vulnerability

Vendor Dastan800
Product Visual Builder
Weakness CWE-862 · Missing authorization
Published May 23, 2025
Last update May 12, 2026

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

What the vulnerability does

01Description

Missing Authorization vulnerability in dastan800 Visual Builder visual-builder allows Reflected XSS.This issue affects Visual Builder: from n/a through <= 1.2.2.

Explanation of Vulnerability in Simple Terms

02Summary

Visual Builder versions up to 1.2.2 lack proper authorization checks, allowing an attacker to perform unauthorized actions if a user visits a malicious link. The vulnerability affects confidentiality, integrity, and availability of the site. Update to a version newer than 1.2.2 to remediate.

What an attacker can do

03Attacker Capabilities

Perform unauthorized actions on the site by tricking a user into visiting a malicious link.

Potential impact on your site

04Site Impact

An attacker can modify site content, access sensitive data, or disrupt site functionality via social engineering.

Conditions required to exploit

05Prerequisites

User must click a link or visit a page controlled by the attacker; no authentication required.

Key dates

06Disclosure timeline

May 23, 2025 CVE published
May 12, 2026 Record updated