What the vulnerability does
01Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Techeshta Card Elements for WPBakery card-elements-for-wpbakery allows DOM-Based XSS.This issue affects Card Elements for WPBakery: from n/a through <= 1.0.8.
Explanation of Vulnerability in Simple Terms
02Summary
Card Elements for WPBakery versions up to 1.0.8 contain a stored cross-site scripting (XSS) vulnerability. An authenticated user with low privileges can inject malicious scripts into card element content. When other users view the affected page, the script executes in their browser, potentially allowing the attacker to steal session data or perform actions on their behalf. The vulnerability requires user interaction to trigger.
What an attacker can do
03Attacker Capabilities
Inject malicious scripts that execute when other users view the page, stealing their session data or performing actions as them.
Potential impact on your site
04Site Impact
Authenticated users can inject persistent malicious code affecting all site visitors, compromising user sessions and data.
Conditions required to exploit
05Prerequisites
Attacker needs a low-privilege WordPress account and must trick a user into viewing the affected page.
Key dates
06Disclosure timeline
September 22, 2025
CVE published
May 13, 2026
Record updated