Description
The WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom JS module in all versions up to, and including, 8.6.1. This is due to insufficient input sanitization and output escaping of user-supplied JavaScript code in the Custom JS module. This makes it possible for authenticated attackers with contributor-level access or higher to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via the WPBakery Page Builder Custom JS module granted they have access to the WPBakery editor for post types.
Published: 2025-10-15
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The WPBakery Page Builder plugin for WordPress is vulnerable to stored Cross‑Site Scripting (CWE‑80) through its Custom JS module. The lack of proper input sanitization and output escaping allows an authenticated contributor or higher to embed arbitrary JavaScript that is persisted and executed on any page that includes the Custom JS module. This could lead to session hijacking, defacement, or the delivery of malicious payloads to site visitors.

Affected Systems

WordPress sites running the WPBakery Page Builder plugin, versions 8.6.1 and earlier. The vulnerability affects any installation where the Custom JS module is enabled and users can edit posts, pages, or other editor‑enabled post types.

Risk and Exploitability

The CVSS base score of 6.4 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog, implying it has not been observed in the wild on a large scale. Exploitation requires authenticated access to the WPBakery editor with contributor or higher privileges, making it an internal threat that could affect any site administrator who grants such permissions. Once the malicious script is inserted it will run for all visitors who load the affected page, making this a potentially broadly impactful risk for compromised sites.

Generated by OpenCVE AI on April 22, 2026 at 13:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WPBakery Page Builder to the latest available version, which removes the vulnerability.
  • If an update is not immediately possible, disable the Custom JS module or restrict its use to trusted administrators only.
  • Implement a strong Content Security Policy that limits execution of inline scripts and external sources to mitigate the impact of any remaining injection.
  • Perform regular security scans of the WordPress installation for unauthorized scripts or suspicious code in database or files.

Generated by OpenCVE AI on April 22, 2026 at 13:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 26 Nov 2025 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wpbakery:page_builder:*:*:*:*:*:wordpress:*:*

Mon, 20 Oct 2025 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpbakery
Wpbakery page Builder
Vendors & Products Wordpress
Wordpress wordpress
Wpbakery
Wpbakery page Builder

Wed, 15 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Oct 2025 07:00:00 +0000

Type Values Removed Values Added
Description The WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom JS module in all versions up to, and including, 8.6.1. This is due to insufficient input sanitization and output escaping of user-supplied JavaScript code in the Custom JS module. This makes it possible for authenticated attackers with contributor-level access or higher to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via the WPBakery Page Builder Custom JS module granted they have access to the WPBakery editor for post types.
Title WPBakery Page Builder <= 8.6.1 - Stored Cross-Site Scripting via Custom JS Module
Weaknesses CWE-80
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Wpbakery Page Builder
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:51:12.437Z

Reserved: 2025-09-29T15:06:39.179Z

Link: CVE-2025-11160

cve-icon Vulnrichment

Updated: 2025-10-15T15:27:13.185Z

cve-icon NVD

Status : Analyzed

Published: 2025-10-15T07:15:30.680

Modified: 2025-11-26T17:34:06.707

Link: CVE-2025-11160

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T13:15:17Z

Weaknesses