A Reflected Cross-Site Scripting vulnerability has been discovered in the ShopBuilder WordPress plugin for WooCommerce. Tracked as CVE-2025-13456 with a CVSS score of 6.1 (Medium), this flaw affects versions before 3.2.2. It allows an attacker to inject malicious JavaScript that executes in the browser of an unsuspecting administrator. ShopBuilder, with over 5,000 active installations, is a popular page builder plugin designed specifically for WooCommerce stores. It lets store owners customize shop pages, product pages, cart pages, and checkout layouts without writing code. Researchers disclosed this vulnerability responsibly through the WordPress plugin vulnerability disclosure process. The development team released version 3.2.2 with the necessary security fixes.
CVE-2025-13456 ShopBuilder XSS vulnerability: Understanding ShopBuilder and WooCommerce Builder Plugins
ShopBuilder is a WooCommerce-focused page builder that gives store owners drag-and-drop control over their storefront design. Unlike general page builders, ShopBuilder integrates directly with WooCommerce hooks and templates. This allows users to customize product grids, add-to-cart buttons, checkout fields, and order confirmation pages. The plugin works by replacing WooCommerce template files with its own customizable versions. It handles a significant amount of user input including page parameters, shortcode attributes, and configuration settings.
ShopBuilder processes URL parameters and form data to render dynamic content. Any failure to properly sanitize and escape this input creates an XSS attack surface. In an e-commerce environment, the stakes are particularly high. Admin sessions have access to customer payment data, order information, and store configuration.
The plugin architecture of page builders like ShopBuilder often involves shortcode processing, AJAX handlers, and template preview modes. Each of these entry points can potentially reflect user input back to the browser. The CVE-2025-13456 vulnerability existed in one of these template rendering parameters. The plugin accepted a value from the URL and displayed it on the page without sanitization.
CVE-2025-13456 ShopBuilder XSS vulnerability: Reflected XSS vs. Stored XSS
Understanding the difference between reflected and stored XSS is important for assessing risk and applying the right defenses. Reflected XSS, the type found in CVE-2025-13456, occurs when malicious JavaScript resides in a URL or HTTP request. The server immediately reflects it back in the response without storing it in the database. The victim must click a crafted link. This causes the browser to send the malicious payload to the vulnerable server, which reflects it back and executes it in the victim’s browser context.
Stored XSS, by contrast, saves the malicious payload in the database. It executes every time any user visits the affected page. While stored XSS is generally more dangerous due to its persistence, reflected XSS has its own advantages for attackers. The payload lives entirely in the URL, which leaves no forensic trace on the server. A single phishing email with a crafted link can compromise an administrator’s session. The attacker never needs authenticated access to the site.
Reflected XSS in the WordPress admin area is especially dangerous. Admin cookies, once stolen, provide unrestricted access to the entire site. For a comprehensive comparison of XSS types and their prevention, see our guide on 7 WordPress Security Mistakes That Leave Your Site Wide Open.
Technical Breakdown of the Vulnerability
ShopBuilder before version 3.2.2 fails to properly sanitize and escape a specific parameter before outputting it back in the page. The exact vulnerable parameter relates to the plugin’s template rendering and preview functionality. When an attacker crafts a URL containing JavaScript code in this parameter and convinces an administrator to click it, the browser sends the request. The server processes it and includes the unsanitized parameter value in the HTML response. It then executes as JavaScript.
A typical vulnerable code pattern might look like this:
// Vulnerable pattern (before 3.2.2)
$template_id = $_GET['preview_template'];
echo '<div class="preview-wrapper" data-template="' . $template_id . '">';
// Patched pattern (3.2.2+)
$template_id = sanitize_text_field($_GET['preview_template']);
echo '<div class="preview-wrapper" data-template="' . esc_attr($template_id) . '">';The fix in version 3.2.2 applies both input sanitization and output escaping to the vulnerable parameter. This defense-in-depth approach ensures that even if one layer fails, the other provides protection.
Attack Vectors and Exploitation Methods
An attacker exploiting CVE-2025-13456 would typically follow this attack chain:
- Link crafting: The attacker creates a URL with a malicious JavaScript payload in the vulnerable parameter. The payload is often URL-encoded to appear less suspicious.
- Delivery: The attacker sends the crafted link to a site administrator through email, a direct message, or a comment that appears to come from a trusted source. URL shorteners like bit.ly or TinyURL can hide the malicious nature of the link.
- Execution: When the admin clicks the link while logged into WordPress, the JavaScript executes in their admin session context.
- Exfiltration: The script steals session cookies and sends them to an attacker-controlled server. It can also perform admin-level actions directly via the REST API.
WooCommerce-Specific Risks
An XSS vulnerability in an e-commerce plugin carries risks beyond a standard WordPress plugin. ShopBuilder has access to WooCommerce-specific data and functionality. A successful exploit could expose:
- Customer personally identifiable information (PII): Names, email addresses, shipping addresses, and phone numbers stored in WooCommerce orders.
- Payment gateway configuration: API keys and connection settings for payment processors like Stripe, PayPal, and Square.
- Order manipulation: An attacker could modify order statuses, change shipping addresses, or mark unpaid orders as completed.
- Price and inventory tampering: Product prices, stock levels, and discount codes could be altered for financial gain.
- Redirecting checkout flows: The injected script could modify checkout page behavior to intercept payment information.
For WooCommerce store owners, any XSS vulnerability in the admin area should be treated as a critical priority. The blast radius extends to customer data and financial transactions.
CVSS Score Details
CVE-2025-13456 has a CVSS base score of 6.1 (Medium) with the following vector breakdown:
- CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None (the attacker does not need any account access)
- User Interaction: Required (the victim must click a crafted link)
- Scope: Changed
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
- Affected Versions: ShopBuilder before 3.2.2
Update Guidance
All ShopBuilder versions before 3.2.2 are vulnerable to CVE-2025-13456. Version 3.2.2 includes the fix. To update, navigate to the Plugins page in your WordPress admin dashboard and update ShopBuilder to the latest version. You can also use WP-CLI:
wp plugin update shopbuilderAfter updating, verify the installed version:
wp plugin get shopbuilder --fields=versionHow Trusti Security Protects WooCommerce Sites
Trusti Security provides multiple layers of protection for WooCommerce sites against XSS and other threats. The Firewall module detects and blocks XSS payloads in URL parameters, POST data, and request headers before they reach vulnerable plugins. Even if a plugin has not yet been patched, the firewall provides virtual patching by inspecting incoming requests for malicious patterns.
Brute Force Protection secures the WooCommerce login and checkout pages against credential stuffing attacks. The Activity Logging module tracks admin actions including plugin updates, template modifications, and user role changes. It provides a forensic record if an attack does succeed. For WooCommerce sites handling customer data, the Core Integrity Scanner monitors file changes to detect backdoors that may have been installed through an XSS compromise.
ShopBuilder is available on WordPress.org at wordpress.org/plugins/shopbuilder/. Update to version 3.2.2 or later to protect your WooCommerce store from this vulnerability.