{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11160", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-29T15:06:39.179Z", "datePublished": "2025-10-15T06:43:56.953Z", "dateUpdated": "2026-04-08T16:51:12.437Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:51:12.437Z"}, "affected": [{"vendor": "wpbakery", "product": "WPBakery Page Builder", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "8.6.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom JS module in all versions up to, and including, 8.6.1. This is due to insufficient input sanitization and output escaping of user-supplied JavaScript code in the Custom JS module. This makes it possible for authenticated attackers with contributor-level access or higher to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via the WPBakery Page Builder Custom JS module granted they have access to the WPBakery editor for post types."}], "title": "WPBakery Page Builder <= 8.6.1 - Stored Cross-Site Scripting via Custom JS Module", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4c42cc4e-34e7-4f14-b850-7ba5dd2ae099?source=cve"}, {"url": "https://kb.wpbakery.com/docs/preface/release-notes/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)", "cweId": "CWE-80", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2025-09-29T15:22:41.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-10-14T17:29:05.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-15T15:27:02.138023Z", "id": "CVE-2025-11160", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-15T15:27:46.878Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11160", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-15T15:27:02.138023Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-15T15:27:13.185Z"}}], "cna": {"title": "WPBakery Page Builder <= 8.6.1 - Stored Cross-Site Scripting via Custom JS Module", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "wpbakery", "product": "WPBakery Page Builder", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "8.6.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-29T15:22:41.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-10-14T17:29:05.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4c42cc4e-34e7-4f14-b850-7ba5dd2ae099?source=cve"}, {"url": "https://kb.wpbakery.com/docs/preface/release-notes/"}], "descriptions": [{"lang": "en", "value": "The WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom JS module in all versions up to, and including, 8.6.1. This is due to insufficient input sanitization and output escaping of user-supplied JavaScript code in the Custom JS module. This makes it possible for authenticated attackers with contributor-level access or higher to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via the WPBakery Page Builder Custom JS module granted they have access to the WPBakery editor for post types."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-80", "description": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:51:12.437Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11160", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:51:12.437Z", "dateReserved": "2025-09-29T15:06:39.179Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-15T06:43:56.953Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wpbakery:page_builder:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "EDDF2342-1A29-40FB-845E-15F586CA1504", "versionEndExcluding": "8.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom JS module in all versions up to, and including, 8.6.1. This is due to insufficient input sanitization and output escaping of user-supplied JavaScript code in the Custom JS module. This makes it possible for authenticated attackers with contributor-level access or higher to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via the WPBakery Page Builder Custom JS module granted they have access to the WPBakery editor for post types."}], "id": "CVE-2025-11160", "lastModified": "2025-11-26T17:34:06.707", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-10-15T07:15:30.680", "references": [{"source": "security@wordfence.com", "tags": ["Release Notes"], "url": "https://kb.wpbakery.com/docs/preface/release-notes/"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4c42cc4e-34e7-4f14-b850-7ba5dd2ae099?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-80"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T13:09:20.304769+00:00", "value": {"mitigation_remediation": ["Update WPBakery Page Builder to the latest available version, which removes the vulnerability.", "If an update is not immediately possible, disable the Custom JS module or restrict its use to trusted administrators only.", "Implement a strong Content Security Policy that limits execution of inline scripts and external sources to mitigate the impact of any remaining injection.", "Perform regular security scans of the WordPress installation for unauthorized scripts or suspicious code in database or files."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress sites running the WPBakery Page Builder plugin, versions 8.6.1 and earlier. The vulnerability affects any installation where the Custom JS module is enabled and users can edit posts, pages, or other editor\u2011enabled post types.", "description_and_impact": "The WPBakery Page Builder plugin for WordPress is vulnerable to stored Cross\u2011Site Scripting (CWE\u201180) through its Custom JS module. The lack of proper input sanitization and output escaping allows an authenticated contributor or higher to embed arbitrary JavaScript that is persisted and executed on any page that includes the Custom JS module. This could lead to session hijacking, defacement, or the delivery of malicious payloads to site visitors.", "risk_and_exploitability": "The CVSS base score of 6.4 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation at this time. The vulnerability is not listed in CISA\u2019s KEV catalog, implying it has not been observed in the wild on a large scale. Exploitation requires authenticated access to the WPBakery editor with contributor or higher privileges, making it an internal threat that could affect any site administrator who grants such permissions. Once the malicious script is inserted it will run for all visitors who load the affected page, making this a potentially broadly impactful risk for compromised sites."}}}}, "created": "2025-10-20T13:26:47.211423+00:00", "updated": "2026-04-22T13:15:17.845903+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpbakery", "wpbakery$PRODUCT$page_builder"]}