Summary

A stored cross-site scripting (XSS) vulnerability affecting WPBakery Page Builder versions up to and including 8.6 was published as CVE-2025-10006. An authenticated user with Contributor privileges (or higher) may be able to inject HTML/JavaScript that is persisted by the plugin and executed later when the content is rendered—either on the public site or in the admin interface.

Although Contributors are lower-privileged by design, stored XSS in a page builder is serious because scripts can target administrators or other higher-privilege users who view the content. Possible impacts include session theft, privilege escalation, automated backdoors and persistent SEO spam. The vendor fixed the issue in version 8.7. This article explains risk scenarios, detection and containment steps, and practical mitigations.

Who is affected?

• WordPress sites running WPBakery Page Builder version 8.6 or earlier.
• Sites that permit Contributors (or higher) to create/edit content rendered through WPBakery elements.
• Sites without compensating controls such as a WAF, strict content policies, or role hardening.

If you are already on 8.7 or newer, the vendor fix is applied. If you cannot patch immediately (compatibility reasons, staging requirements), implement the mitigations below promptly.

What exactly is the vulnerability?

Short explanation

• Type: Stored Cross‑Site Scripting (XSS)
• Privilege required: Contributor (authenticated)
• CVE: CVE‑2025‑10006
• Affected: WPBakery Page Builder ≤ 8.6
• Fixed in: 8.7

Technical context (high level)

WPBakery Page Builder allows users to create elements via shortcodes and HTML snippets. In this case, input from contributors can be persisted into post content or plugin-managed metadata without sufficient sanitization or contextual escaping. When rendered (post preview, admin editor, or public page), browsers can execute embedded scripts. The stored nature means payloads persist and may trigger whenever the content is viewed.

No exploit code is published here; the intent is to explain risk and defensive measures.

Why this matters — real world impact

• Administrator compromise: If an admin previews or edits a compromised page and a script runs, the attacker may attempt session theft, CSRF-backed admin actions, or other pivots.
• Persistent site compromise: Stored XSS can be abused to inject backdoors, create admin users, or plant code that fetches further payloads.
• Reputation and SEO damage: Hidden spam, redirects or phishing pages harm rankings and user trust.
• Data theft: Visitor data from forms or analytics can be exfiltrated by injected scripts.

CVSS numbers do not always capture real-world exposure; risk depends on workflow and how frequently admins interact with contributor content.

Exploitation scenarios (what to watch for)

1. Contributor saves a post containing a malicious payload in a WPBakery element. An admin later previews or edits the page; the script executes in the admin context.
2. Contributor publishes content (if allowed) that runs scripts for visitors to perform redirects, show spam, or mine resources.
3. Attacker hides payloads behind user-agent or referrer checks so the malicious behaviour is not obvious on casual inspection.

How to detect if you’ve been targeted

Quick audit checklist:

• Plugin version: Confirm WPBakery version from the Plugins screen or WP-CLI. If ≤ 8.6, assume exposure.
• Review recent content: Filter posts/pages authored by Contributors over the last 30–90 days and inspect for untrusted HTML.
• Database scan: Search post_content and postmeta for script markers such as
  Review My Order

  0

  Subtotal

  Taxes & shipping calculated at checkout

  Checkout