CVE-2025-11160

Medium CVSS: 6.4

The WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom JS module in all versions up to, and including, 8.6.1. This is due to insufficient input sanitization and output escaping of user-supplied JavaScript code in the Custom JS module. This makes it possible for authenticated attackers with contributor-level access or higher to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via the WPBakery Page Builder Custom JS module granted they have access to the WPBakery editor for post types.

Vendor

Wpbakery

Product

Page Builder

CWE

CWE-80

Yayın Tarihi

2025-10-15 07:15:30

Güncelleme

2025-11-26 17:34:06

Source Identifier

security@wordfence.com

KEV Date Added

Kategoriler

CWE-80 Page Builder MEDIUM Wpbakery 2025

Referanslar

https://kb.wpbakery.com/docs/preface/release-notes/ https://www.wordfence.com/threat-intel/vulnerabilities/id/4c42cc4e-34e7-4f14-b850-7ba5dd2ae099?source=cve

Benzer Kayıtlar

Medium

CVE-2025-10006

The WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'rev_slider…

Medium

CVE-2025-11161

The WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the vc_custom_heading sh…

Medium

CVE-2025-7502

The WPBakery Page Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several sh…

Medium

CVE-2025-4968

The WPBakery Page Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple P…

Medium

CVE-2025-4965

The WPBakery Page Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin…