WordPress has millions of installs, so plugins are a favorite target for attackers. A serious set of vulnerabilities—now assigned CVE-2022-40963—was found in the WP Page Builder plugin, version 1.2.6 and lower. In this post, we break down the bug, show how easy it is to exploit, and give practical mitigation advice.

What Is WP Page Builder?

WP Page Builder is a popular drag-and-drop content editor for WordPress sites. With over 60,000 installations at the time of disclosure, security problems here ripple out to thousands of production websites.

Summary

CVE-2022-40963 describes an Authenticated Stored Cross-Site Scripting (XSS) vulnerability. Multiple places in the WP Page Builder plugin failed to sanitize user input, meaning even trusted users (like Authors or above) could plant malicious scripts that would run for anyone viewing affected pages—including site admins.

Severity: Medium/High (Depending on context and user base)
Versions Affected: 1.2.6 and below
Privilege Required: Author role or higher (“Author+”)
Vector: JavaScript gets saved in page/post content and executes in admin/editor browsers later

1. The Problem: Poor Sanitization

Certain WP Page Builder blocks (widgets) let users enter HTML or text—like “Raw HTML,” “Heading,” or “Text Block” widgets. These fields weren’t stripped of <script>, onerror=, or other dangerous attributes.

Knowledge of WP Page Builder usage

Then, they create or edit a page/post, drop a WP Page Builder block, and inject a simple script. Here’s what that might look like.

Paste this as the title, text content, or HTML field in a WP Page Builder block

<img src="x" onerror="alert('XSS by Author!')">

Or even shorter

<script>alert('XSS Successful!')</script>

Upon saving, this payload is stored as-is in the WordPress database. When any user (editor, admin, visitor) views the live page or the post in the editor, the attacker’s JavaScript fires.

Screenshot Example

(Create a new page, use WP Page Builder, add "Raw HTML" widget, paste payload, publish, visit the page = JS executes.)

“Author+” Matters

You need at least Author access—but in many sites (multi-author blogs), this is common. Also, sites with open signups or trust issues are especially at risk.

Patch & Mitigation

Update to WP Page Builder >= 1.2.7, which does proper sanitization.

- Official changelog: https://wordpress.org/plugins/wp-pagebuilder/#developers
- Vulnerability notice: Patchstack Report

If you must stick to an old version

- Restrict Author+ roles– limit user creation/role escalation

Add WAF (Web Application Firewall) rules for suspicious input

- Regularly scan your site with tools like WPScan

- NIST NVD: CVE-2022-40963
- Patchstack WP Page Builder Report
- WP Page Builder Plugin Page
- WPScan Entry

Conclusion: What Should You Do?

If your WordPress site uses WP Page Builder, update now. Even trusted users can go rogue, or their accounts can be compromised. Don't just rely on trust—make sure your plugins sanitize all user input.

Timeline

Published on: 11/18/2022 23:15:00 UTC
Last modified on: 11/23/2022 19:34:00 UTC