WordPress Plugin Vulnerabilities

WPBakery Page Builder < 8.7 - Stored Cross-Site Scripting via Custom JS Module

Description

The WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom JS module in all versions up to, and including, 8.6.1. This is due to insufficient input sanitization and output escaping of user-supplied JavaScript code in the Custom JS module. This makes it possible for authenticated attackers with contributor-level access or higher to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via the WPBakery Page Builder Custom JS module granted they have access to the WPBakery editor for post types.

Affects Plugins

Plugin icon
js_composer
Fixed in 8.7

References

CVE
CVE-2025-11160
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/4c42cc4e-34e7-4f14-b850-7ba5dd2ae099

Classification

Type
CROSS FRAME SCRIPTING
OWASP top 10
A1: Injection
CWE
CWE-80
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Muhammad Yudha - DJ
Verified
No
WPVDB ID
3f7ba5d6-4731-4d02-bb06-ea00fcffa875

Timeline

Publicly Published
2025-10-14 (about 6 months ago)
Added
2025-10-14 (about 6 months ago)
Last Updated
2025-10-15 (about 6 months ago)

Other

Published
Title
Published
2024-02-23
Title
Brizy – Page Builder < 2.4.41 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2022-11-29
Title
Quiz and Survey Master < 8.0.5 - Unauthenticated iFrame Injection
Published
2024-03-29
Title
WordPress File Upload < 4.24.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2024-01-29
Title
Order Delivery Date for WP e-Commerce <= 1.2 - Unauthenticated Stored Cross-Site Scripting
Published
2024-03-06
Title
Otter Blocks PRO < 2.6.4 - Authenticated(Contributor+) Stored Cross-Site Scripting via File Field CSS