WWordPress Vulnerability Database

HK Security Alert WPBakery Cross Site Scripting(CVE202511161)

WordPress WPBakery Page Builder plugin
0
Shares
0
0
0
0
Plugin Name WPBakery Page Builder
Type of Vulnerability Stored XSS
CVE Number CVE-2025-11161
Urgency Low
CVE Publish Date 2025-10-15
Source URL CVE-2025-11161

WPBakery Page Builder (≤ 8.6.1) — Stored XSS via vc_custom_heading Shortcode (CVE-2025-11161)

Author: Hong Kong Security Expert — 2025-10-15

Summary — A stored Cross-Site Scripting (XSS) vulnerability (CVE-2025-11161) affecting WPBakery Page Builder versions up to and including 8.6.1 has been published. It allows a contributor-level user to inject persistent script/HTML via the vc_custom_heading shortcode. The issue was fixed in WPBakery version 8.7. If you cannot update immediately, well-designed response and content hardening or virtual-patching measures can mitigate exploitation risk.

Introduction

If you operate WordPress sites that use WPBakery Page Builder, this advisory is relevant. This report is written from the perspective of a Hong Kong-based security practitioner to explain the risk, likely impact, detection approaches, and practical steps to protect your sites. The guidance below is pragmatic and focused on actions site owners, administrators and technical operators can take quickly.

The vulnerability in one sentence

  • Vulnerability: Stored Cross-Site Scripting (XSS) via the vc_custom_heading shortcode.
  • Product: WPBakery Page Builder (plugin).
  • Affected versions: ≤ 8.6.1
  • Fixed in: 8.7
  • CVE: CVE-2025-11161
  • Reported CVSS: 6.5 (moderate)
  • Required privilege: Contributor (able to create or edit content)

What is stored XSS and why this matters

Cross-Site Scripting (XSS) allows an attacker to inject JavaScript or active content that runs in the browser of site visitors or administrators. Stored (persistent) XSS means the malicious input is saved on the server — for example inside post content, shortcodes, or metadata — and executes whenever a page containing the payload is viewed.

Consequences of stored XSS can include:

  • Session theft (if cookies or tokens are accessible to script)
  • Privilege escalation via automated actions performed in the context of an authenticated user
  • Content defacement, malicious redirects, or delivery of phishing/malware content
  • Abuse for ad injection, SEO poisoning, or broader site compromise

The specifics of this WPBakery issue

Public advisories indicate WPBakery Page Builder’s handling of the vc_custom_heading shortcode allowed untrusted HTML or attributes to be stored and later rendered without adequate sanitization. A contributor-level user could craft shortcode content including malicious markup or event attributes that the plugin failed to properly sanitize or encode before output.

  • Exploitability: contributor-level access is sufficient on affected sites.
  • Persistence: payloads are stored within content and remain until removed or sanitized.
  • Fix: upstream patch in WPBakery 8.7 corrects the sanitization/rendering behaviour.

Exploit scenarios to consider

  1. Malicious contributor or compromised contributor account: an attacker submits a post with vc_custom_heading containing malicious markup. Visitors and staff viewing the post execute the injected script.
  2. Compromised editor/admin via social engineering: convincing an editor to preview content may trigger a payload.
  3. Automated scanning and mass injection: opportunistic actors scan for WPBakery installations and inject payloads to monetise or expand access.
  4. Theme or template rendering: templates or widgets that render shortcodes site-wide can expose many pages to the payload.

Risk factors that increase likelihood

  • Allowing external contributor publishing without strict review.
  • Running plugin versions ≤ 8.6.1.
  • Absence of response controls that inspect incoming content or outgoing HTML.
  • Weak administrative credentials and missing multi-factor authentication.

Immediate steps to protect your site (short checklist)

  1. Upgrade WPBakery Page Builder to 8.7 (or the latest) as soon as feasible.
  2. If you cannot update immediately:
    • Apply content inspection measures to block or sanitize vc_custom_heading submissions and front-end rendering of script-like content in attributes.
    • Restrict contributor capabilities — require editor review or disable contributor publishing.
    • Review recent posts, revisions, and custom headings for unexpected markup such as