CVE-2023-6880 in Visual Composer Premium Plugin
Summary
by MITRE • 03/13/2024
The Visual Composer Website Builder, Landing Page Builder, Custom Theme Builder, Maintenance Mode & Coming Soon Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's custom fields in all versions up to, and including, 45.6.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/12/2026
The vulnerability identified as CVE-2023-6880 affects the Visual Composer plugin for WordPress, a widely used website builder and page construction tool that enables users to create complex layouts through drag-and-drop interfaces. This particular flaw exists within the plugin's custom fields functionality and impacts all versions up to and including 45.6.0, making it a significant concern for WordPress administrators who rely on this popular plugin for their site construction needs. The vulnerability stems from inadequate input sanitization and output escaping mechanisms that fail to properly validate or escape user-supplied attributes before they are stored and subsequently rendered on web pages.
The technical implementation of this stored cross-site scripting vulnerability occurs when authenticated attackers with contributor-level permissions or higher submit malicious content through the plugin's custom fields interface. These fields are designed to accept various user inputs including text, HTML, and other attributes that define how elements appear and behave on the constructed pages. The flaw manifests because the plugin does not adequately sanitize these inputs during the storage phase, allowing malicious scripts to be permanently embedded within the database. When legitimate users subsequently access pages containing these injected scripts, the malicious code executes in their browsers, creating a persistent threat vector that can affect any user who views the compromised pages.
From an operational perspective, this vulnerability represents a serious security risk for WordPress installations using the Visual Composer plugin, as it enables attackers to escalate their privileges through persistent script execution. The impact extends beyond simple XSS attacks since the vulnerability allows for the execution of arbitrary web scripts that could potentially steal session cookies, redirect users to malicious sites, or perform actions on behalf of authenticated users. The fact that this affects users with contributor-level permissions means that even less privileged users within a WordPress environment could leverage this vulnerability to compromise the entire site. This aligns with CWE-79 which categorizes cross-site scripting flaws as weaknesses in input validation and output escaping, and represents a clear violation of the principle of least privilege in web application security.
The attack surface for this vulnerability is particularly concerning given the widespread adoption of Visual Composer across WordPress installations, as it creates a persistent threat that can affect any page containing compromised custom fields. Security professionals should consider this vulnerability in the context of ATT&CK framework's T1566 technique for initial access through malicious content, as well as T1059 for command and scripting interpreter execution. The vulnerability's persistence makes it particularly dangerous since the malicious scripts remain active until manually removed from the database, and could potentially be exploited by attackers to establish backdoors or exfiltrate sensitive data from authenticated sessions. Organizations should implement immediate mitigations including plugin updates to versions that address this vulnerability, input validation restrictions, and monitoring for unauthorized modifications to custom fields, while also considering the broader implications for their WordPress security posture.
The remediation approach for this vulnerability requires immediate action from WordPress administrators to update to versions that contain proper input sanitization and output escaping mechanisms. The fix should implement comprehensive validation of user inputs, proper HTML escaping before storage, and ensure that all custom field attributes undergo strict sanitization processes. Additionally, administrators should consider implementing additional security measures such as role-based access controls that limit which users can modify custom fields, regular database audits to detect unauthorized modifications, and monitoring for suspicious script injection patterns. This vulnerability underscores the critical importance of maintaining up-to-date security practices and the necessity of implementing proper input validation at multiple layers within web applications to prevent such persistent threats from compromising user sessions and site integrity.