CVE-2025-11160
📋 TL;DR
This vulnerability allows authenticated WordPress users with contributor-level access or higher to inject malicious JavaScript code via the WPBakery Page Builder's Custom JS module. The injected scripts execute whenever users visit affected pages, enabling attackers to steal session cookies, redirect users, or perform other malicious actions. All WordPress sites using WPBakery Page Builder versions up to 8.6.1 are affected.
💻 Affected Systems
- WPBakery Page Builder for WordPress
📦 What is this software?
Page Builder by Wpbakery
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, take over WordPress sites, install backdoors, or redirect users to malicious sites, potentially leading to complete site compromise and data theft.
Likely Case
Attackers with contributor access inject malicious scripts to steal user session cookies, perform phishing attacks, or deface websites by modifying page content.
If Mitigated
With proper user access controls and input validation, the impact is limited to potential content defacement or minor data exposure from lower-privileged accounts.
🎯 Exploit Status
Exploitation requires authenticated access to WordPress backend with at least contributor permissions. Attackers need to understand WordPress and WPBakery Page Builder interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 8.6.2 or later
Vendor Advisory: https://kb.wpbakery.com/docs/preface/release-notes/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WPBakery Page Builder. 4. Click 'Update Now' if update available. 5. Alternatively, download latest version from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable Custom JS Module
allTemporarily disable the vulnerable Custom JS module in WPBakery Page Builder settings
Restrict User Permissions
allRemove contributor-level access to WPBakery Page Builder editor for all non-administrator users
🧯 If You Can't Patch
- Implement strict user access controls to limit who can edit posts/pages with WPBakery Page Builder
- Deploy web application firewall (WAF) rules to detect and block XSS payloads in POST requests
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins > WPBakery Page Builder version. If version is 8.6.1 or lower, system is vulnerable.Check Version:
wp plugin list --name=WPBakery --field=version (if WP-CLI installed)Verify Fix Applied:
After updating, verify WPBakery Page Builder version shows 8.6.2 or higher in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to wp-admin containing JavaScript payloads
- Multiple failed login attempts followed by successful contributor-level login
Network Indicators:
- Unexpected JavaScript code in page responses from WordPress sites
- Suspicious outbound connections from WordPress sites to unknown domains
SIEM Query:
source="wordpress.log" AND ("custom_js" OR "wpbakery") AND ("script" OR "javascript" OR "onload" OR "onerror")