CVE-2025-53307 HIGH

CVE-2025-53307: WordPress Assistant Plugin <= 1.5.2 - Cross Site Scripting (XSS) Vulnerability

Vendor Beaver Builder
Product WordPress Assistant
Weakness CWE-79 · XSS
Published September 5, 2025
Last update April 28, 2026
View on NVD All CVEs

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

What the vulnerability does

01Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Beaver Builder WordPress Assistant assistant allows Reflected XSS.This issue affects WordPress Assistant: from n/a through <= 1.5.2.

Explanation of Vulnerability in Simple Terms

02Summary

The WordPress Assistant plugin for Beaver Builder contains a stored cross-site scripting (XSS) vulnerability in versions up to 1.5.2. An attacker can inject malicious scripts that execute in the browsers of site visitors and administrators. The vulnerability requires user interaction to trigger, but once injected, the malicious code persists and affects all users who view the compromised content.

What an attacker can do

03Attacker Capabilities

Inject malicious JavaScript that runs in visitors' browsers and steals session cookies, credentials, or performs actions on their behalf.

Potential impact on your site

04Site Impact

Visitors and admins may have their accounts compromised or be redirected to phishing sites; site reputation and user trust at risk.

Conditions required to exploit

05Prerequisites

Attacker needs to trick a site user into visiting a malicious link or page; no authentication required to craft the payload.

Key dates

06Disclosure timeline

September 5, 2025 CVE published
April 28, 2026 Record updated

Related vulnerabilities

08Related CVE

CVE-2025-58985 WordPress Additional Custom Product Tabs for WooCommerce Plugin <= 1.7.3 - Cross Site Scripting (XSS) Vulnerability CVE-2024-29814 WordPress Exchange Rates Widget plugin <= 1.4.0 - Cross Site Scripting (XSS) vulnerability CVE-2024-51709 WordPress TeleAdmin plugin <= 1.0.0 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2021-23027 CVE-2025-12713 Soundslides <= 1.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via soundslides Shortcode