Description
The WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the vc_custom_heading shortcode in all versions up to, and including, 8.6.1. This is due to insufficient restriction of allowed HTML tags and improper sanitization of user-supplied attributes in the font_container parameter. This makes it possible for authenticated attackers with contributor-level access or higher to inject arbitrary web scripts in posts that will execute whenever a user accesses an injected page via the vc_custom_heading shortcode with malicious tag and text attributes granted they have access to use WPBakery shortcodes.
Published: 2025-10-15
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

WPBakery Page Builder contains a stored cross‑site scripting flaw in the vc_custom_heading shortcode that arises from insufficient sanitization of the font_container attribute. The weakness allows an attacker who can edit content to inject malicious JavaScript that runs in the browsers of any visitor who views a page containing the problematic shortcode. This could lead to credential theft, defacement or the execution of further compromised code. The vulnerability is classified as CWE‑80.

Affected Systems

The flaw affects the WPBakery Page Builder plugin for WordPress, specifically all versions up to and including 8.6.1. Users running any of those releases with the plugin installed are at risk.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity, while an EPSS score of less than 1% suggests the likelihood of exploitation is currently very low. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires an authenticated attacker with contributor-level or higher privileges and the ability to add or edit content using the vc_custom_heading shortcode. While the impact is limited to users who view pages edited by the attacker, a misconfigured or broad user role could expand the attack surface.

Generated by OpenCVE AI on April 22, 2026 at 22:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WPBakery Page Builder to a version newer than 8.6.1 that contains the fix.
  • If an update is not immediately possible, remove or disable the vc_custom_heading shortcode from the site to prevent storage of malicious scripts.
  • Revise user role permissions to reduce contributor-level or higher access until the plugin is updated, limiting the ability to inject the vulnerable shortcode.

Generated by OpenCVE AI on April 22, 2026 at 22:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 26 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wpbakery:page_builder:*:*:*:*:*:wordpress:*:*

Mon, 20 Oct 2025 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpbakery
Wpbakery page Builder
Vendors & Products Wordpress
Wordpress wordpress
Wpbakery
Wpbakery page Builder

Wed, 15 Oct 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Oct 2025 07:00:00 +0000

Type Values Removed Values Added
Description The WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the vc_custom_heading shortcode in all versions up to, and including, 8.6.1. This is due to insufficient restriction of allowed HTML tags and improper sanitization of user-supplied attributes in the font_container parameter. This makes it possible for authenticated attackers with contributor-level access or higher to inject arbitrary web scripts in posts that will execute whenever a user accesses an injected page via the vc_custom_heading shortcode with malicious tag and text attributes granted they have access to use WPBakery shortcodes.
Title WPBakery Page Builder <= 8.6.1 - Stored Cross-Site Scripting via vc_custom_heading Shortcode
Weaknesses CWE-80
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Wpbakery Page Builder
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:42:55.440Z

Reserved: 2025-09-29T15:17:13.737Z

Link: CVE-2025-11161

cve-icon Vulnrichment

Updated: 2025-10-15T16:13:03.433Z

cve-icon NVD

Status : Analyzed

Published: 2025-10-15T07:15:32.023

Modified: 2025-11-26T15:10:01.260

Link: CVE-2025-11161

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T22:15:26Z

Weaknesses