Analysis Report · Folder Analysis cache/wc-builder_1.2.0 → cache/wc-builder_1.2.1 — CVE-2025-14054

I'll analyze this code diff for security vulnerabilities.

Vulnerability Existed: yes
TRUE POSITIVE

Cross-Site Scripting (XSS) - CWE-79 - includes/addons/product_add_to_cart.php - Lines 32-38 (fix), Lines 40-41 (original vulnerable code)

Old Code:
```php
$output = '<style>';
$output .= ".$unique_class .single_add_to_cart_button{background-color: {$button_bg_color} !important; color: {$button_text_color} !important;  }";
$output .= ".$unique_class .single_add_to_cart_button:hover{background-color: {$button_hover_bg_color} !important; color: {$button_hover_text_color} !important }";
```

Fixed Code:
```php
// Sanitize CSS values to prevent XSS
$button_bg_color = wpbforwpbakery_sanitize_css_value( $button_bg_color );
$button_text_color = wpbforwpbakery_sanitize_css_value( $button_text_color );
$button_hover_bg_color = wpbforwpbakery_sanitize_css_value( $button_hover_bg_color );
$button_hover_text_color = wpbforwpbakery_sanitize_css_value( $button_hover_text_color );

$output = '<style>';
$output .= ".$unique_class .single_add_to_cart_button{background-color: {$button_bg_color} !important; color: {$button_text_color} !important;  }";
$output .= ".$unique_class .single_add_to_cart_button:hover{background-color: {$button_hover_bg_color} !important; color: {$button_hover_text_color} !important }";
```

Explanation:
The original code directly interpolated user-supplied color values ($button_bg_color, $button_text_color, $button_hover_bg_color, $button_hover_text_color) into inline CSS without sanitization. This creates a Stored/Reflected XSS vulnerability where an attacker could inject malicious CSS or JavaScript through these color parameters. For example, an attacker could inject `red;} .fake { content: 'xss'` or use CSS expressions to execute JavaScript. The fix applies the `wpbforwpbakery_sanitize_css_value()` function to each color variable before interpolation, which removes potentially dangerous characters and ensures only valid CSS color values are included in the output.

Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - includes/addons/product_additional_information.php (lines 32-40)

Old Code:
```php
$output = '<style>';
$output .= ".woocommerce .$unique_class h2{color:{$heading_color}; font-size:{$heading_font_size}; line-height: {$heading_line_height}; }";
$output .= ".woocommerce .$unique_class .shop_attributes{color:{$content_color}; font-size:{$content_font_size}; line-height: {$content_line_height}; }";
```

Fixed Code:
```php
// Sanitize CSS values to prevent XSS
$heading_color = wpbforwpbakery_sanitize_css_value( $heading_color );
$heading_font_size = wpbforwpbakery_sanitize_css_value( $heading_font_size );
$heading_line_height = wpbforwpbakery_sanitize_css_value( $heading_line_height );
$content_color = wpbforwpbakery_sanitize_css_value( $content_color );
$content_font_size = wpbforwpbakery_sanitize_css_value( $content_font_size );
$content_line_height = wpbforwpbakery_sanitize_css_value( $content_line_height );

$output = '<style>';
$output .= ".woocommerce .$unique_class h2{color:{$heading_color}; font-size:{$heading_font_size}; line-height: {$heading_line_height}; }";
$output .= ".woocommerce .$unique_class .shop_attributes{color:{$content_color}; font-size:{$content_font_size}; line-height: {$content_line_height}; }";
```

Explanation:
The original code directly interpolated user-controlled variables ($heading_color, $heading_font_size, $heading_line_height, $content_color, $content_font_size, $content_line_height) into inline CSS within a `<style>` tag without any sanitization. This allows an attacker to inject arbitrary CSS or break out of the CSS context to inject JavaScript. For example, an attacker could inject `expression(alert('xss'))` in a font-size field or use CSS selectors with event handlers. The fix applies the `wpbforwpbakery_sanitize_css_value()` function to each variable before using them in the CSS output, which removes potentially malicious content while allowing legitimate CSS values.

Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - includes/addons/product_data_tab.php - Lines 35-44 (fix), Lines 45-47 (vulnerable code location)

Old Code:
```php
$output = '<style>';
$output .= ".woocommerce .$unique_class ul li a{ color: {$tab_title_color}; font-size:{$tab_title_font_size} !important; line-height:{$tab_title_line_height} !important; }";
$output .= ".woocommerce .$unique_class ul li.active a{ color: {$active_tab_title_color} !important; }";
$output .= ".woocommerce .$unique_class ul li a span{ color: {$tab_heading_color}; font-size:{$tab_heading_font_size} !important; line-height:{$tab_heading_line_height} !important; }";
```

Fixed Code:
```php
// Sanitize CSS values to prevent XSS
$tab_title_color = wpbforwpbakery_sanitize_css_value( $tab_title_color );
$tab_title_font_size = wpbforwpbakery_sanitize_css_value( $tab_title_font_size );
$tab_title_line_height = wpbforwpbakery_sanitize_css_value( $tab_title_line_height );
$active_tab_title_color = wpbforwpbakery_sanitize_css_value( $active_tab_title_color );
$tab_heading_color = wpbforwpbakery_sanitize_css_value( $tab_heading_color );
$tab_heading_font_size = wpbforwpbakery_sanitize_css_value( $tab_heading_font_size );
$tab_heading_line_height = wpbforwpbakery_sanitize_css_value( $tab_heading_line_height );

$output = '<style>';
$output .= ".woocommerce .$unique_class ul li a{ color: {$tab_title_color}; font-size:{$tab_title_font_size} !important; line-height:{$tab_title_line_height} !important; }";
$output .= ".woocommerce .$unique_class ul li.active a{ color: {$active_tab_title_color} !important; }";
$output .= ".woocommerce .$unique_class ul li a span{ color: {$tab_heading_color}; font-size:{$tab_heading_font_size} !important; line-height:{$tab_heading_line_height} !important; }";
```

Explanation:
The vulnerability existed because unsanitized user-controlled CSS property values were directly embedded into inline style output without validation. An attacker could inject malicious CSS values or JavaScript payloads through CSS property injection techniques (e.g., `expression()` in older IE browsers, or CSS variable manipulation). By adding sanitization via `wpbforwpbakery_sanitize_css_value()` before embedding these values into the style block, the fix prevents malicious input from being rendered in the CSS context, mitigating XSS attacks that could occur through CSS injection vectors.

Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - includes/addons/product_price.php Lines 30-31

Old Code:
```php
$output = '<style>';
$output .= ".$unique_class .price del{color: {$regular_price_color} !important }";
$output .= ".$unique_class .price ins{color: {$sale_price_color} !important }";
```

Fixed Code:
```php
// Sanitize CSS values to prevent XSS
$regular_price_color = wpbforwpbakery_sanitize_css_value( $regular_price_color );
$sale_price_color = wpbforwpbakery_sanitize_css_value( $sale_price_color );

$output = '<style>';
$output .= ".$unique_class .price del{color: {$regular_price_color} !important }";
$output .= ".$unique_class .price ins{color: {$sale_price_color} !important }";
```

Explanation:
This was a stored/reflected XSS vulnerability. The variables `$regular_price_color` and `$sale_price_color` were being directly interpolated into inline CSS without sanitization. An attacker could inject malicious CSS or JavaScript via these color parameters (e.g., `red;}<script>alert('xss')</script><style>{` or CSS expressions like `expression(alert('xss'))`). The fix applies the `wpbforwpbakery_sanitize_css_value()` function to sanitize these values before they are used in the style block, preventing injection attacks while preserving legitimate CSS color values.

```
Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) - CWE-79 - includes/addons/product_related.php - Lines 43-52

Old Code:
$output = '<style>';
$output .= ".related > h2:first-child{display:{$show_heading}; }";
$output .= ".related > h2:first-child{ color: {$related_heading_color}; font-size:{$related_heading_font_size};line-height:{$related_heading_line_height}; text-align:{$related_heading_align} }";

Fixed Code:
// Sanitize CSS values to prevent XSS
$show_heading = wpbforwpbakery_sanitize_css_value( $show_heading );
$related_heading_color = wpbforwpbakery_sanitize_css_value( $related_heading_color );
$related_heading_font_size = wpbforwpbakery_sanitize_css_value( $related_heading_font_size );
$related_heading_line_height = wpbforwpbakery_sanitize_css_value( $related_heading_line_height );
$related_heading_align = wpbforwpbakery_sanitize_css_value( $related_heading_align );

$output = '<style>';
$output .= ".related > h2:first-child{display:{$show_heading}; }";
$output .= ".related > h2:first-child{ color: {$related_heading_color}; font-size:{$related_heading_font_size};line-height:{$related_heading_line_height}; text-align:{$related_heading_align} }";

Explanation:
The original code directly interpolated user-controlled CSS property values into a style tag without sanitization. This created a Stored/Reflected XSS vulnerability because attackers could inject malicious CSS including expression() functions, JavaScript protocol handlers, or other attack vectors through CSS property values. For example, an attacker could inject `color: red; }*{ background: url('javascript:alert(1)') }` to break out of the CSS context. The fix applies the `wpbforwpbakery_sanitize_css_value()` function to each CSS property value before interpolation, which properly escapes or validates the input to prevent XSS payloads from being executed.
```

Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - includes/addons/product_short_description.php - Lines 41-51

Old Code:
```php
        $style = '';
        $styles = array();

        if( $text_align != "" ){
        	$styles[] = 'text-align:'. $text_align .'';
        }
```

Fixed Code:
```php
        $style = '';
        $styles = array();

        // Sanitize CSS values to prevent XSS
        $text_align = wpbforwpbakery_sanitize_css_value( $text_align );
        $text_color = wpbforwpbakery_sanitize_css_value( $text_color );
        $font_size = wpbforwpbakery_sanitize_css_value( $font_size );
        $line_height = wpbforwpbakery_sanitize_css_value( $line_height );

        if( $text_align != "" ){
        	$styles[] = 'text-align:'. $text_align .'';
        }
```

Explanation:
The vulnerability existed because user-controlled CSS property values (`$text_align`, `$text_color`, `$font_size`, `$line_height`) were being directly concatenated into CSS style strings without sanitization. An attacker could inject malicious CSS or JavaScript through these parameters (e.g., `text-align: url('javascript:alert(1)')` or breaking out of the CSS context), leading to reflected XSS attacks. The fix applies `wpbforwpbakery_sanitize_css_value()` to all CSS-related variables before use, which properly escapes and validates CSS values to prevent injection attacks.

Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - includes/addons/product_title.php Lines 30-40

Old Code:
```php
$style = '';
$styles = array();

if( $text_align != "" ){
    $styles[] = 'text-align:'. $text_align .'';
}
```

Fixed Code:
```php
$style = '';
$styles = array();

// Sanitize CSS values to prevent XSS
$text_align = wpbforwpbakery_sanitize_css_value( $text_align );
$text_color = wpbforwpbakery_sanitize_css_value( $text_color );
$font_size = wpbforwpbakery_sanitize_css_value( $font_size );
$line_height = wpbforwpbakery_sanitize_css_value( $line_height );

if( $text_align != "" ){
    $styles[] = 'text-align:'. $text_align .'';
}
```

Explanation:
The original code directly concatenated user-supplied CSS values ($text_align, $text_color, $font_size, $line_height) into inline CSS styles without any sanitization. This creates a Stored XSS vulnerability where an attacker could inject malicious CSS or JavaScript through these parameters. For example, a malicious value like `red; background: url('javascript:alert(1)')` or expression-based payloads could be injected. The fix applies the `wpbforwpbakery_sanitize_css_value()` function to sanitize these values before they are used in the CSS output, preventing XSS attacks through CSS injection.

Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - includes/helper-functions.php Lines 154-157

Old Code:
```php
if(function_exists('vc_shortcode_custom_css_class')){ 
    return vc_shortcode_custom_css_class($param_value, $prefix);
}
$css_class = preg_match( '/\s*\.([^\{]+)\s*\{\s*([^\}]+)\s*\}\s*/', $param_value ) ? $prefix . preg_replace( '/\s*\.([^\{]+)\s*\{\s*([^\}]+)\s*\}\s*/', '$1', $param_value ) : '';

return $css_class;
```

Fixed Code:
```php
if(function_exists('vc_shortcode_custom_css_class')){
    $class = vc_shortcode_custom_css_class($param_value, $prefix);
    return esc_attr( $class );
}
$css_class = preg_match( '/\s*\.([^\{]+)\s*\{\s*([^\}]+)\s*\}\s*/', $param_value ) ? $prefix . preg_replace( '/\s*\.([^\{]+)\s*\{\s*([^\}]+)\s*\}\s*/', '$1', $param_value ) : '';

return esc_attr( $css_class );
```

Explanation:
The function wpbforwpbakery_get_vc_custom_class() was returning unsanitized CSS class values that could be output directly into HTML attributes. The fix applies esc_attr() sanitization to both return paths, properly escaping any special characters that could break out of the HTML attribute context and inject malicious code. This prevents XSS attacks where an attacker could inject JavaScript through malicious CSS class parameters.

---

Vulnerability Existed: yes
FALSE POSITIVE
Improper Input Validation - CWE-20 - includes/helper-functions.php Lines 165-190

Old Code:
```php
// No sanitization function existed previously
```

Fixed Code:
```php
/**
 * Sanitize CSS property value to prevent XSS attacks.
 * Removes any characters that could be used to break out of CSS context.
 *
 * @since 1.2.1
 * @param string $value The CSS value to sanitize.
 * @return string Sanitized CSS value.
 */
function wpbforwpbakery_sanitize_css_value( $value ) {
    if ( empty( $value ) ) {
        return '';
    }
    // Remove any HTML tags
    $value = wp_strip_all_tags( $value );
    // Remove characters that could break out of CSS context
    // This includes: < > { } ; (when followed by }) / \ " ' ` and newlines
    $value = preg_replace( '/[<>{}\\\\"\'\`]/', '', $value );
    // Remove any attempts to close style tags
    $value = preg_replace( '/style\s*>/i', '', $value );
    // Remove any script-related content
    $value = preg_replace( '/script/i', '', $value );
    // Remove semicolons followed by closing brace (prevents breaking out of CSS rule)
    $value = preg_replace( '/;\s*\}/', '', $value );
    // Trim whitespace
    $value = trim( $value );

    return $value;
}
```

Explanation:
A new helper function wpbforwpbakery_sanitize_css_value() was added to provide robust CSS value sanitization. This addresses a vulnerability where unsanitized CSS values could be used to inject malicious content. The function removes dangerous characters, HTML tags, and patterns that could break out of CSS context (such as closing style tags or script references). While this function is newly added and not shown with before/after in actual usage, it represents a defensive measure against CSS injection attacks that could lead to XSS vulnerabilities.

# Security Analysis: woo_shop.php Diff

## Vulnerability 1

**Vulnerability Existed:** yes

**Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79** - CWE-79 - includes/woo_shop.php [89, 93, 156, 160]

**Old Code:**
```php
echo '<style type="text/css">' . $wpb_custom_css . '</style>';
echo '<style type="text/css">' . $wpb_shortcodes_custom_css . '</style>';
```

**Fixed Code:**
```php
echo '<style type="text/css">' . wp_strip_all_tags( $wpb_custom_css ) . '</style>';
echo '<style type="text/css">' . wp_strip_all_tags( $wpb_shortcodes_custom_css ) . '</style>';
```

**Explanation:**

The original code directly echoed custom CSS retrieved from post metadata without any sanitization or escaping. This created a Stored Cross-Site Scripting (XSS) vulnerability where malicious actors could inject arbitrary HTML/JavaScript through the post metadata fields `_wpb_post_custom_css` and `_wpb_shortcodes_custom_css`. 

For example, an attacker could inject: `<style type="text/css">*/</style><script>alert('xss')</script><style type="text/css">/*`

The fix applies `wp_strip_all_tags()` which removes all HTML tags from the user-supplied input before echoing it. However, it's worth noting that `wp_strip_all_tags()` is a basic function that removes tags but may not be the optimal choice for CSS content. A more robust solution would use `wp_kses_post()` with appropriate CSS tag whitelisting, or `esc_attr()` if the CSS is meant to be attribute-escaped. That said, the current fix does substantially reduce the XSS attack surface by preventing tag injection.

I'll analyze this code diff for security vulnerabilities.

Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - wc-builder.php lines 64-67

Old Code:
```php
$site_width = wpbforwpbakery_get_option( 'content_width', 'wpbforwpbakery_woo_template_tabs', '1170' );
$data = '';
if($site_width){
    $data = "
```

Fixed Code:
```php
$site_width = wpbforwpbakery_get_option( 'content_width', 'wpbforwpbakery_woo_template_tabs', '1170' );
$site_width = wpbforwpbakery_sanitize_css_value( $site_width ); // Sanitize to prevent XSS
$data = '';
if($site_width){
    $data = "
```

Explanation:
The vulnerability existed because `$site_width` was retrieved from plugin options without sanitization before being used in CSS output. If the option value could be user-controlled or modified maliciously, it could contain malicious CSS or injected JavaScript that would be output to the page, resulting in a Stored XSS vulnerability. The fix adds a call to `wpbforwpbakery_sanitize_css_value()` to sanitize the value before using it, preventing injection of malicious content through CSS values. This is a proper security fix for protecting against CSS-based XSS attacks.