{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11161", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-29T15:17:13.737Z", "datePublished": "2025-10-15T06:43:56.365Z", "dateUpdated": "2026-04-08T16:42:55.440Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:42:55.440Z"}, "affected": [{"vendor": "wpbakery", "product": "WPBakery Page Builder", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "8.6.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the vc_custom_heading shortcode in all versions up to, and including, 8.6.1. This is due to insufficient restriction of allowed HTML tags and improper sanitization of user-supplied attributes in the font_container parameter. This makes it possible for authenticated attackers with contributor-level access or higher to inject arbitrary web scripts in posts that will execute whenever a user accesses an injected page via the vc_custom_heading shortcode with malicious tag and text attributes granted they have access to use WPBakery shortcodes."}], "title": "WPBakery Page Builder <= 8.6.1 - Stored Cross-Site Scripting via vc_custom_heading Shortcode", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2772cade-c625-437a-b57b-ce8a2e3393bf?source=cve"}, {"url": "http://kb.wpbakery.com/docs/preface/release-notes/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)", "cweId": "CWE-80", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2025-09-29T15:51:45.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-10-14T17:32:20.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-15T16:12:29.182581Z", "id": "CVE-2025-11161", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-15T16:13:10.184Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11161", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-15T16:12:29.182581Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-15T16:13:03.433Z"}}], "cna": {"title": "WPBakery Page Builder <= 8.6.1 - Stored Cross-Site Scripting via vc_custom_heading Shortcode", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "wpbakery", "product": "WPBakery Page Builder", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "8.6.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-29T15:51:45.000+00:00", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-10-14T17:32:20.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2772cade-c625-437a-b57b-ce8a2e3393bf?source=cve"}, {"url": "http://kb.wpbakery.com/docs/preface/release-notes/"}], "descriptions": [{"lang": "en", "value": "The WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the vc_custom_heading shortcode in all versions up to, and including, 8.6.1. This is due to insufficient restriction of allowed HTML tags and improper sanitization of user-supplied attributes in the font_container parameter. This makes it possible for authenticated attackers with contributor-level access or higher to inject arbitrary web scripts in posts that will execute whenever a user accesses an injected page via the vc_custom_heading shortcode with malicious tag and text attributes granted they have access to use WPBakery shortcodes."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-80", "description": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-10-15T06:43:56.365Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11161", "state": "PUBLISHED", "dateUpdated": "2025-10-15T16:13:10.184Z", "dateReserved": "2025-09-29T15:17:13.737Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-15T06:43:56.365Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wpbakery:page_builder:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "EDDF2342-1A29-40FB-845E-15F586CA1504", "versionEndExcluding": "8.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the vc_custom_heading shortcode in all versions up to, and including, 8.6.1. This is due to insufficient restriction of allowed HTML tags and improper sanitization of user-supplied attributes in the font_container parameter. This makes it possible for authenticated attackers with contributor-level access or higher to inject arbitrary web scripts in posts that will execute whenever a user accesses an injected page via the vc_custom_heading shortcode with malicious tag and text attributes granted they have access to use WPBakery shortcodes."}], "id": "CVE-2025-11161", "lastModified": "2025-11-26T15:10:01.260", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-10-15T07:15:32.023", "references": [{"source": "security@wordfence.com", "tags": ["Release Notes"], "url": "http://kb.wpbakery.com/docs/preface/release-notes/"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2772cade-c625-437a-b57b-ce8a2e3393bf?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-80"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T22:04:40.708928+00:00", "value": {"mitigation_remediation": ["Update WPBakery Page Builder to a version newer than 8.6.1 that contains the fix. ", "If an update is not immediately possible, remove or disable the vc_custom_heading shortcode from the site to prevent storage of malicious scripts. ", "Revise user role permissions to reduce contributor-level or higher access until the plugin is updated, limiting the ability to inject the vulnerable shortcode."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The flaw affects the WPBakery Page Builder plugin for WordPress, specifically all versions up to and including 8.6.1. Users running any of those releases with the plugin installed are at risk.", "description_and_impact": "WPBakery Page Builder contains a stored cross\u2011site scripting flaw in the vc_custom_heading shortcode that arises from insufficient sanitization of the font_container attribute. The weakness allows an attacker who can edit content to inject malicious JavaScript that runs in the browsers of any visitor who views a page containing the problematic shortcode. This could lead to credential theft, defacement or the execution of further compromised code. The vulnerability is classified as CWE\u201180.", "risk_and_exploitability": "The CVSS score of 6.4 indicates moderate severity, while an EPSS score of less than 1% suggests the likelihood of exploitation is currently very low. The vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires an authenticated attacker with contributor-level or higher privileges and the ability to add or edit content using the vc_custom_heading shortcode. While the impact is limited to users who view pages edited by the attacker, a misconfigured or broad user role could expand the attack surface."}}}}, "created": "2025-10-20T13:27:01.009561+00:00", "updated": "2026-04-22T22:15:26.349752+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpbakery", "wpbakery$PRODUCT$page_builder"]}