CVE-2026-57780info

Summary

by MITRE • 07/13/2026

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Plugin Envision Envision Page Builder envision-page-builder allows DOM-Based XSS.This issue affects Envision Page Builder: from n/a through <= 0.22.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/13/2026

Cross-site scripting vulnerabilities represent one of the most prevalent and dangerous web application security flaws, with the specific weakness identified in the Envision Page Builder plugin demonstrating a classic dom-based xss vector that can be exploited by attackers to execute malicious scripts within the context of a victim's browser session. This vulnerability falls under the common weakness enumeration category 79 which specifically addresses improper neutralization of input during web page generation, making it a fundamental flaw in how user-supplied data is processed and rendered within the web interface. The dom-based nature of this particular vulnerability means that the malicious script is executed as part of the document object model without requiring server-side processing, making it particularly insidious as it can be triggered simply by manipulating url parameters or other client-side inputs that get reflected into the page structure.

The technical implementation of this flaw in the envision page builder plugin occurs when user input is not properly sanitized or escaped before being incorporated into dynamically generated web content. This typically happens when the plugin fails to validate or encode data that originates from browser-based sources such as url parameters, form fields, or other client-side data that gets processed by javascript functions and subsequently injected into the dom structure of the page. Attackers can craft malicious urls containing script payloads that when visited by an unsuspecting user will execute within the context of the victim's session, potentially leading to session hijacking, credential theft, or further exploitation of the compromised browser environment.

The operational impact of this vulnerability extends beyond simple data theft as it provides attackers with a foothold for more sophisticated attacks within the targeted environment. When users visit maliciously crafted urls that exploit this dom-based xss flaw, they may unknowingly execute scripts that can perform actions such as stealing cookies, redirecting to malicious sites, defacing content, or even installing malware on the victim's system. The specific version range mentioned indicates that all versions up to and including 0.22 are affected, suggesting a persistent flaw in the plugin's input handling mechanisms that has not been adequately addressed in the released versions. This vulnerability directly maps to attack techniques described in the mitre attack framework under the execution and credential access domains where attackers can leverage xss vectors to establish persistent access or escalate privileges within compromised environments.

Mitigation strategies for this vulnerability require immediate attention from system administrators and developers working with wordpress installations that utilize the envision page builder plugin. The most effective immediate remediation involves upgrading to a patched version of the plugin if available, as this addresses the root cause of the improper input neutralization. Organizations should also implement content security policies that restrict script execution within the browser context, utilize proper input validation and output encoding mechanisms for all user-supplied data, and conduct regular security assessments of third-party plugins to identify similar vulnerabilities. Additionally, implementing web application firewalls with xss detection capabilities can provide an additional layer of protection while waiting for official patches to be deployed across affected systems.

Disclosure

07/13/2026

Moderation

in review

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!