CVE-2025-14785 in Website Builder by SeedProd Plugin
Summary
by MITRE • 07/08/2026
The Website Builder by SeedProd - Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `seedprodnestedmenuwidget` shortcode in all versions up to, and including, 6.20.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/08/2026
The vulnerability identified in the SeedProd Website Builder plugin represents a critical stored cross-site scripting flaw that affects versions up to and including 6.20.2. This security weakness resides within the plugin's `seedprodnestedmenuwidget` shortcode implementation, where insufficient input sanitization and output escaping mechanisms fail to properly validate user-supplied attributes. The vulnerability specifically targets authenticated attackers who possess contributor-level access or higher privileges within WordPress environments, making it particularly concerning for sites that maintain multiple user roles with varying permission levels.
The technical exploitation of this vulnerability occurs through the manipulation of shortcode attributes that are processed by the plugin's theme builder and landing page creation functionality. When an attacker with sufficient privileges creates or modifies content using the affected shortcode, malicious script code can be injected into the plugin's output generation process. This stored payload persists within the WordPress database and executes whenever any user accesses pages containing the compromised shortcode, regardless of whether the user has administrative privileges or is a regular site visitor. The vulnerability demonstrates poor input validation practices that directly violate security principles outlined in CWE-79, which specifically addresses cross-site scripting vulnerabilities resulting from insufficient sanitization of user-controllable inputs.
From an operational perspective, this vulnerability creates significant risk for WordPress sites utilizing the SeedProd plugin, particularly those with multiple contributors or users who may inadvertently be compromised through social engineering or account takeovers. The impact extends beyond simple script execution as attackers can potentially harvest cookies, session tokens, or other sensitive information from authenticated users accessing compromised pages. The stored nature of the vulnerability means that malicious payloads remain active until manually removed from the database, creating persistent attack vectors that can be exploited repeatedly over time. This characteristic aligns with ATT&CK technique T1566, which involves the exploitation of vulnerabilities in web applications to gain unauthorized access or execute malicious code.
The remediation strategy for this vulnerability requires immediate attention through plugin updates to versions that properly sanitize and escape all user-supplied attributes within the affected shortcode implementation. Organizations should implement comprehensive input validation measures that filter out potentially dangerous characters and patterns before processing user input, while also ensuring proper output escaping mechanisms are in place when rendering content to end users. Additionally, security teams should conduct thorough audits of all active plugins to identify similar vulnerabilities in other components and establish monitoring procedures to detect anomalous shortcode usage patterns. The vulnerability underscores the importance of maintaining up-to-date software versions and implementing robust access control measures to limit privilege escalation opportunities for potential attackers.