CVE-2025-9560

Published October 11th, 2025

View on NVD ↗

CVSS v3

6.4

MEDIUM

CVSS v2

N/A

Affected

PROJECT

Description

The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's colibri_newsletter shortcode in all versions up to, and including, 1.0.334 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Colibri Page Builder

Colibri Page Builder adds drag and drop page builder functionality to the ColibriWP theme. <h3>License</h3> Unless otherwise specified, all the theme files and scripts are licensed under GNU General Public License. The exceptions to this license are as follows: The exceptions to this license are as follows: <ul> <li> bem-sass – https://github.com/jaeseungyum/bem-sass Licensed under the MIT license (https://opensource.org/licenses/MIT) </li> <li> blob-util – https://github.com/nolanlawson/blob-util#readme Licensed under the Apache-2.0 license (https://www.apache.org/licenses/LICENSE-2.0) </li> <li> clean-deep – https://github.com/nunofgs/clean-deep Licensed under the MIT license (https://opensource.org/licenses/MIT) </li> <li> desandro-matches-selector – Licensed under the MIT license (https://opensource.org/licenses/MIT) </li> <li> domready – https://github.com/ded/domready Licensed under the MIT license (https://opensource.org/licenses/MIT) </li> <li> ev-emitter – https://github.com/metafizzy/ev-emitter#readme Licensed under the MIT license (https://opensource.org/licenses/MIT) </li> <li> outlayer – https://github.com/metafizzy/outlayer Licensed under the MIT license (https://opensource.org/licenses/MIT) </li> <li> vue-directive-tooltip – https://github.com/hekigan/vue-directive-tooltip#readme Licensed under the MIT license (https://opensource.org/licenses/MIT) </li> <li> vue-svgicon – https://github.com/MMF-FE/vue-svgicon#readme Licensed under the MIT license (https://opensource.org/licenses/MIT) </li> <li> Ionicons – https://ionicons.com Licensed under the MIT license (https://opensource.org/licenses/MIT) </li> <li> Icon by Font Awesome (https://fontawesome.com) Licensed under the CC BY 4.0 license (https://fontawesome.com/license/free) </li> <li> Icons8 Line Awesome (https://github.com/icons8/line-awesome) Licensed under the MIT license (https://opensource.org/licenses/MIT) </li> <li> Kube.CSS & JS Framework – http://imperavi.com/kube/ Copyright (c) 2009-2017, Imperavi LLC. Licensed under the MIT license (https://opensource.org/licenses/MIT) </li> <li> Framework – Bootstrap Licensed Under MIT license ( https://opensource.org/licenses/MIT) </li> <li> axios – https://github.com/axios/axios Licensed under the MIT license (https://github.com/axios/axios/raw/master/LICENSE) </li> <li> bem-cn – https://github.com/albburtsev/bem-cn Licensed under the MIT license (https://github.com/albburtsev/bem-cn/raw/master/LICENSE) </li> <li> blob-util – https://github.com/nolanlawson/blob-util Licensed under the Apache-2.0 license (https://github.com/nolanlawson/blob-util/raw/master/LICENSE) </li> <li> change-case – https://github.com/blakeembrey/change-case Licensed under the MIT license (https://github.com/blakeembrey/change-case/raw/master/LICENSE) </li> <li> clean-deep – https://github.com/nunofgs/clean-deep Licensed under the MIT license (https://github.com/nunofgs/clean-deep/raw/master/LICENSE) </li> <li> countup.js – https://github.com/inorganik/countUp.js Licensed under the MIT license (https://github.com/inorganik/countUp.js/raw/master/LICENSE.md) </li> <li> countup – https://github.com/inorganik/countUp.js Licensed under the MIT license (https://github.com/inorganik/countUp.js/raw/master/LICENSE.md) </li> <li> cssobj-core – https://github.com/cssobj/cssobj-core Licensed under the MIT license (https://github.com/cssobj/cssobj-core) </li> <li> cssobj-plugin-cssom – https://github.com/cssobj/cssobj-plugin-cssom Licensed under the MIT license (https://github.com/cssobj/cssobj-plugin-cssom) </li> <li> deepdash-es – https://github.com/YuriGor/deepdash Licensed under the MIT license (https://github.com/YuriGor/deepdash) </li> <li> dnd-core – https://github.com/react-dnd/react-dnd Licensed under the BSD-3-Clause license (https://github.com/react-dnd/react-dnd/raw/master/LICENSE) </li> <li> dragula – https://github.com/bevacqua/dragula Licensed under the MIT license (https://github.com/bevacqua/dragula/raw/master/license) </li> <li> element-ui – https://github.com/ElemeFE/element Licensed under the MIT license (https://github.com/ElemeFE/element/raw/master/LICENSE) </li> <li> escape-string-regexp – https://github.com/sindresorhus/escape-string-regexp Licensed under the MIT license (https://github.com/sindresorhus/escape-string-regexp/raw/master/license) </li> <li> eslint-config-airbnb – https://github.com/airbnb/javascript Licensed under the MIT license (https://github.com/airbnb/javascript/raw/master/LICENSE.md) </li> <li> firebase-firestore-fields – https://github.com/invertase/firebase-firestore-fields Licensed under the APACHE-2.0 license (https://github.com/invertase/firebase-firestore-fields/raw/master/LICENSE) </li> <li> firebase – https://github.com/firebase/firebase-js-sdk Licensed under the Apache-2.0 license (https://github.com/firebase/firebase-js-sdk) </li> <li> firebaseui – https://github.com/firebase/firebaseui-web Licensed under the Apache-2.0 license (https://github.com/firebase/firebaseui-web/raw/master/LICENSE) </li> <li> fuse.js – https://github.com/krisk/Fuse Licensed under the Apache license (https://github.com/krisk/Fuse/raw/master/LICENSE) </li> <li> get-urls – https://github.com/sindresorhus/get-urls Licensed under the MIT license (https://github.com/sindresorhus/get-urls/raw/master/license) </li> <li> glob – https://github.com/isaacs/node-glob Licensed under the ISC license (https://github.com/isaacs/node-glob/raw/master/LICENSE) </li> <li> hotkeys-js – https://github.com/jaywcjlove/hotkeys Licensed under the MIT license (https://github.com/jaywcjlove/hotkeys/raw/master/LICENSE) </li> <li> html2canvas – https://github.com/niklasvh/html2canvas Licensed under the MIT license (https://github.com/niklasvh/html2canvas/raw/master/LICENSE) </li> <li> is-image-url – https://github.com/wzbg/is-image-url Licensed under the MIT license (https://github.com/wzbg/is-image-url/raw/master/LICENSE) </li> <li> jquery-animated-headlines – https://github.com/GeoffSelby/jquery-animated-headlines Licensed under the MIT license (https://github.com/GeoffSelby/jquery-animated-headlines) </li> <li> jquery-circle-progress – https://github.com/kottenator/jquery-circle-progress Licensed under the MIT license (https://github.com/kottenator/jquery-circle-progress/raw/master/LICENSE) </li> <li> jquery-easing – https://github.com/viskin/jquery-easing Licensed under the LicenseRef-LICENSE license (https://github.com/viskin/jquery-easing/raw/master/LICENSE) </li> <li> jsdom-global – https://github.com/rstacruz/jsdom-global Licensed under the MIT license (https://github.com/rstacruz/jsdom-global) </li> <li> jsdom – https://github.com/jsdom/jsdom Licensed under the MIT license (https://github.com/jsdom/jsdom/raw/master/LICENSE.txt) </li> <li> jsondiffpatch – https://github.com/benjamine/jsondiffpatch Licensed under the MIT license (https://github.com/benjamine/jsondiffpatch) </li> <li> jump.js – https://github.com/callmecavs/jump.js Licensed under the MIT license (https://github.com/callmecavs/jump.js) </li> <li> lodash.debounce – https://github.com/lodash/lodash Licensed under the MIT license (https://github.com/lodash/lodash/raw/master/LICENSE) </li> <li> lodash – https://github.com/lodash/lodash Licensed under the MIT license (https://github.com/lodash/lodash/raw/master/LICENSE) </li> <li> masonry-layout – https://github.com/desandro/masonry Licensed under the MIT license (https://github.com/desandro/masonry) </li> <li> nouislider – https://github.com/leongersen/noUiSlider Licensed under the WTFPL license (https://github.com/leongersen/noUiSlider/raw/master/LICENSE) </li> <li> npm-license-crawler – https://github.com/mwittig/npm-license-crawler Licensed under the BSD-3-Clause license (https://github.com/mwittig/npm-license-crawler/raw/master/LICENSE) </li> <li> npm – https://github.com/npm/cli Licensed under the Artistic-2.0 license (https://github.com/npm/cli/raw/master/.licensee.json) </li> <li> pako – https://github.com/nodeca/pako Licensed under the (MIT AND Zlib) license (https://github.com/nodeca/pako/raw/master/LICENSE) </li> <li> popper.js – https://github.com/FezVrasta/popper.js Licensed under the MIT license (https://github.com/FezVrasta/popper.js) </li> <li> postcss-js – https://github.com/postcss/postcss-js Licensed under the MIT license (https://github.com/postcss/postcss-js/raw/master/LICENSE) </li> <li> postcss – https://github.com/postcss/postcss Licensed under the MIT license (https://github.com/postcss/postcss/raw/master/LICENSE) </li> <li> pretty – https://github.com/jonschlinkert/pretty Licensed under the MIT license (https://github.com/jonschlinkert/pretty/raw/master/LICENSE) </li> <li> react-dnd-html5-backend – https://github.com/react-dnd/react-dnd Licensed under the BSD-3-Clause license (https://github.com/react-dnd/react-dnd/raw/master/LICENSE) </li> <li> shortcode-insert – https://github.com/whitebolt/shortcode-insert Licensed under the MIT license (https://github.com/whitebolt/shortcode-insert/raw/master/LICENCE.md) </li> <li> sortablejs – https://github.com/SortableJS/Sortable Licensed under the MIT license (https://github.com/SortableJS/Sortable) </li> <li> speakingurl – https://github.com/pid/speakingurl Licensed under the BSD-3-Clause license (https://github.com/pid/speakingurl/raw/master/LICENSE) </li> <li> string-template-parser – https://github.com/souldreamer/string-template-parser Licensed under the MIT license (https://github.com/souldreamer/string-template-parser) </li> <li> swiper – https://github.com/nolimits4web/Swiper Licensed under the MIT license (https://github.com/nolimits4web/Swiper/raw/master/LICENSE) </li> <li> tinycolor2 – https://bgrinshub.com/TinyColor Licensed under the MIT license (https://bgrinshub.com/TinyColor) </li> <li> to-css – https://github.com/joakimbeng/to-css Licensed under the MIT license (https://github.com/joakimbeng/to-css) </li> <li> to-px – https://github.com/mikolalysenko/to-px Licensed under the MIT license (https://github.com/mikolalysenko/to-px/raw/master/LICENSE) </li> <li> v-click-outside – https://github.com/ndelvalle/v-click-outside Licensed under the MIT license (https://github.com/ndelvalle/v-click-outside/raw/master/LICENSE) </li> <li> v-hotkey – https://github.com/Dafrok/v-hotkey Licensed under the MIT license (https://github.com/Dafrok/v-hotkey/raw/master/LICENSE) </li> <li> vue-async-computed – https://github.com/foxbenjaminfox/vue-async-computed Licensed under the MIT license (https://github.com/foxbenjaminfox/vue-async-computed/raw/master/LICENSE) </li> <li> vue-awesome-swiper – https://github.com/surmon-china/vue-awesome-swiper Licensed under the MIT license (https://github.com/surmon-china/vue-awesome-swiper/raw/master/LICENSE) </li> <li> vue-bem-cn – https://github.com/c01nd01r/vue-bem-cn Licensed under the MIT license (https://github.com/c01nd01r/vue-bem-cn/raw/master/LICENSE) </li> <li> vue-clickaway – https://github.com/simplesmiler/vue-clickaway Licensed under the MIT license (https://github.com/simplesmiler/vue-clickaway/raw/master/LICENSE) </li> <li> vue-context-menu – https://github.com/vmaimone/vue-context-menu Licensed under the ISC license (https://github.com/vmaimone/vue-context-menu) </li> <li> vue-context – https://github.com/rawilk/vue-context Licensed under the MIT license (https://github.com/rawilk/vue-context/raw/master/LICENSE) </li> <li> vue-count-to Licensed under the MIT license (http://panjiachen.github.io/countTo/demo/) </li> <li> vue-countup-v2 – https://github.com/xlsdg/vue-countup-v2 Licensed under the MIT license (https://github.com/xlsdg/vue-countup-v2/raw/master/LICENSE) </li> <li> vue-firestore Licensed under the MIT license </li> <li> vue-fraction-grid – https://github.com/bkzl/vue-fraction-grid Licensed under the MIT license (https://github.com/bkzl/vue-fraction-grid/raw/master/LICENSE) </li> <li> vue-free-transform – https://github.com/skmail/vue-free-transform Licensed under the MIT* license (https://github.com/skmail/vue-free-transform/raw/master/LICENSE.md) </li> <li> vue-hoc – https://github.com/jackmellis/vue-hoc Licensed under the Apache-2.0 license (https://github.com/jackmellis/vue-hoc/raw/master/LICENSE) </li> <li> vue-localstorage – https://github.com/pinguinjkeke/vue-local-storage Licensed under the MIT license (https://github.com/pinguinjkeke/vue-local-storage/raw/master/LICENSE) </li> <li> vue-mutation-observer – https://github.com/PNKBizz/vue-mutation-observer Licensed under the MIT license (https://github.com/PNKBizz/vue-mutation-observer) </li> <li> vue-perfect-scrollbar – https://github.com/Degfy/vue-perfect-scrollbar Licensed under the MIT license (https://github.com/Degfy/vue-perfect-scrollbar) </li> <li> vue-quill-editor – https://github.com/surmon-china/vue-quill-editor Licensed under the MIT license (https://github.com/surmon-china/vue-quill-editor/raw/master/LICENSE) </li> <li> vue-react-dnd – https://github.com/jenshaase/vue-react-dnd Licensed under the MIT license (https://github.com/jenshaase/vue-react-dnd/raw/master/LICENSE) </li> <li> vue-scrollto – https://github.com/rigor789/vue-scrollto Licensed under the MIT license (https://github.com/rigor789/vue-scrollto/raw/master/LICENSE) </li> <li> vue-shortkey – https://github.com/iFgR/vue-shortkey Licensed under the MIT license (https://github.com/iFgR/vue-shortkey/raw/master/LICENSE) </li> <li> vue-slider-component – https://github.com/NightCatSama/vue-slider-component Licensed under the MIT license (https://github.com/NightCatSama/vue-slider-component/raw/master/LICENSE) </li> <li> vue-sortable – https://github.com/sagalbot/vue-sortable Licensed under the MIT license (https://github.com/sagalbot/vue-sortable/raw/master/LICENSE.md) </li> <li> vue-videobg – https://github.com/pespantelis/vue-videobg Licensed under the MIT license (https://github.com/pespantelis/vue-videobg/raw/master/LICENSE) </li> <li> vue-virtual-collection – https://github.com/starkwang/vue-virtual-collection Licensed under the MIT license (https://github.com/starkwang/vue-virtual-collection/raw/master/LICENSE) </li> <li> vue – https://github.com/vuejs/vue Licensed under the MIT license (https://github.com/vuejs/vue/raw/master/LICENSE) </li> <li> vuefire – https://github.com/vuejs/vuefire Licensed under the MIT license (https://github.com/vuejs/vuefire/raw/master/LICENSE) </li> <li> vuex-persist – https://github.com/championswimmer/vuex-persist Licensed under the MIT license (https://github.com/championswimmer/vuex-persist/raw/master/LICENSE.md) </li> <li> vuex – https://github.com/vuejs/vuex Licensed under the MIT license (https://github.com/vuejs/vuex/raw/master/LICENSE) </li> <li> webfontloader – https://github.com/typekit/webfontloader Licensed under the Apache-2.0 license (https://github.com/typekit/webfontloader/raw/master/LICENSE) </li> <li> extend-builder/assets/images/x-header-default.jpg Source: https://www.maxpixel.net/Wave-Abstract-Pattern-Lines-Movement-Swing-1500063 Licensed under Creative Commons Zero license, http://creativecommons.org/publicdomain/zero/1.0/ </li> <li> extend-builder/assets/images/1.jpg Source: https://stocksnap.io/photo/RMOCSAQNUG Licensed under Creative Commons Zero license, http://creativecommons.org/publicdomain/zero/1.0/ </li> <li> extend-builder/assets/images/2.jpg Source: https://stocksnap.io/photo/Y8OHDLLUN1 Licensed under Creative Commons Zero license, http://creativecommons.org/publicdomain/zero/1.0/ </li> <li> extend-builder/assets/images/3.jpg Source: https://pxhere.com/en/photo/1432895 Licensed under Creative Commons Zero license, http://creativecommons.org/publicdomain/zero/1.0/ </li> <li> extend-builder/assets/images/4.jpg Source: https://stocksnap.io/photo/LPZFCLQN45 Licensed under Creative Commons Zero license, http://creativecommons.org/publicdomain/zero/1.0/ </li> <li> extend-builder/assets/images/5.jpg Source: https://stocksnap.io/photo/UDWZ9OZ6QQ Licensed under Creative Commons Zero license, http://creativecommons.org/publicdomain/zero/1.0/ </li> <li> extend-builder/assets/images/6.jpg Source: https://pxhere.com/en/photo/1592854 Licensed under Creative Commons Zero license, http://creativecommons.org/publicdomain/zero/1.0/ </li> <li> extend-builder/assets/images/7.jpg Source: https://pxhere.com/en/photo/1427195 Licensed under Creative Commons Zero license, http://creativecommons.org/publicdomain/zero/1.0/ </li> <li> extend-builder/assets/images/8.jpg Source: https://stocksnap.io/photo/96DA9Q241I Licensed under Creative Commons Zero license, http://creativecommons.org/publicdomain/zero/1.0/ </li> <li> extend-builder/assets/images/masonry-1.jpg Source: https://stocksnap.io/photo/96DA9Q241I Licensed under Creative Commons Zero license, http://creativecommons.org/publicdomain/zero/1.0/ </li> <li> extend-builder/assets/images/masonry-2.jpg Source: https://pxhere.com/en/photo/1427195 Licensed under Creative Commons Zero license, http://creativecommons.org/publicdomain/zero/1.0/ </li> <li> extend-builder/assets/images/masonry-3.jpg Source: https://stocksnap.io/photo/Y8OHDLLUN1 Licensed under Creative Commons Zero license, http://creativecommons.org/publicdomain/zero/1.0/ </li> <li> extend-builder/assets/images/masonry-4.jpg Source: https://pxhere.com/en/photo/1432895 Licensed under Creative Commons Zero license, http://creativecommons.org/publicdomain/zero/1.0/ </li> <li> extend-builder/assets/images/masonry-5.jpg Source: https://stocksnap.io/photo/RMOCSAQNUG Licensed under Creative Commons Zero license, http://creativecommons.org/publicdomain/zero/1.0/ </li> <li> extend-builder/assets/images/masonry-6.jpg Source: https://stocksnap.io/photo/UDWZ9OZ6QQ Licensed under Creative Commons Zero license, http://creativecommons.org/publicdomain/zero/1.0/ </li> <li> extend-builder/assets/images/masonry-7.jpg Source: https://pxhere.com/en/photo/1592854 Licensed under Creative Commons Zero license, http://creativecommons.org/publicdomain/zero/1.0/ </li> <l

WordPress Plugin Directory

3.92M