CVE-2025-2573 in Amazing Service Box Addons for WPBakery Page Builder Plugin
Summary
by MITRE • 03/26/2025
The Amazing service box Addons For WPBakery Page Builder (formerly Visual Composer) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/26/2025
The CVE-2025-2573 vulnerability affects the Amazing service box Addons For WPBakery Page Builder plugin, a popular WordPress extension that enhances page building capabilities. This plugin, formerly known as Visual Composer, has been widely adopted across WordPress installations, making this vulnerability particularly concerning from a security perspective. The vulnerability exists within the plugin's handling of SVG file uploads, which represents a critical flaw in the web application's input validation and sanitization mechanisms.
The technical flaw stems from inadequate input sanitization and output escaping practices within the plugin's file upload functionality. When authenticated users with Author-level privileges or higher attempt to upload SVG files through the plugin's interface, the system fails to properly validate or sanitize the uploaded content. This insufficient sanitization creates a persistent cross-site scripting vulnerability where malicious scripts can be embedded within SVG files and stored on the server. The vulnerability is classified as stored XSS because the malicious code is permanently saved and executed whenever any user accesses the compromised SVG file, regardless of whether they are authenticated or not.
The operational impact of this vulnerability is significant for WordPress administrators and site owners who rely on the WPBakery Page Builder plugin. Attackers with minimal privileges can exploit this weakness to execute arbitrary JavaScript code in the context of any user's browser who views the compromised SVG files. This could enable various malicious activities including session hijacking, credential theft, redirection to malicious websites, or even privilege escalation within the WordPress environment. The vulnerability affects all versions up to and including 2.0.0, indicating that a substantial user base may be exposed to this risk, particularly given the plugin's widespread adoption in WordPress ecosystems.
From a cybersecurity framework perspective, this vulnerability aligns with CWE-79 (Cross-site Scripting) and represents a clear violation of secure coding practices. The issue manifests as a failure to properly escape output and validate user inputs, which are fundamental security controls recommended by the OWASP Top Ten Project. The ATT&CK framework categorizes this vulnerability under T1059.007 (Command and Scripting Interpreter: JavaScript) and T1566 (Phishing) as it enables attackers to execute malicious scripts and potentially harvest user credentials through social engineering techniques. The vulnerability also demonstrates poor input validation practices that could be addressed through proper content type checking, file format validation, and comprehensive sanitization routines that strip or encode potentially dangerous elements from uploaded files.
Organizations should immediately update to the latest version of the plugin to remediate this vulnerability, as no patch or workaround exists for versions prior to the fixed release. System administrators should also implement network monitoring to detect unusual file upload activities and consider implementing web application firewalls to filter potentially malicious SVG content. Regular security audits of WordPress installations should include verification of plugin versions and their security posture, particularly for plugins that handle file uploads or user-generated content. The vulnerability underscores the importance of maintaining up-to-date software and implementing defense-in-depth strategies to protect against persistent threats that exploit privilege escalation vectors within content management systems.