CVE-2025-11161
📋 TL;DR
The WPBakery Page Builder WordPress plugin has a stored XSS vulnerability in the vc_custom_heading shortcode. Authenticated attackers with contributor access or higher can inject malicious scripts into posts, which execute when users view those pages. This affects all WordPress sites using WPBakery Page Builder up to version 8.6.1.
💻 Affected Systems
- WPBakery Page Builder WordPress plugin
📦 What is this software?
Page Builder by Wpbakery
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal admin credentials, deface websites, redirect users to malicious sites, or install backdoors for persistent access.
Likely Case
Attackers with contributor accounts inject malicious scripts to steal visitor session cookies or display unwanted content.
If Mitigated
With proper user access controls and content filtering, impact is limited to isolated script execution in specific posts.
🎯 Exploit Status
Requires authenticated access (contributor role minimum) and knowledge of WPBakery shortcode usage.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 8.6.2 or later
Vendor Advisory: http://kb.wpbakery.com/docs/preface/release-notes/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WPBakery Page Builder. 4. Click 'Update Now' if available, or download latest version from vendor. 5. Activate updated plugin.
🔧 Temporary Workarounds
Restrict user roles
allLimit contributor and author roles to trusted users only, or temporarily disable these roles if not needed.
Disable vulnerable shortcode
wordpressRemove or disable the vc_custom_heading shortcode via plugin settings or custom code.
add_filter('vc_shortcodes_css_class', 'disable_custom_heading', 10, 3); function disable_custom_heading($class, $tag, $atts) { if ($tag === 'vc_custom_heading') { return ''; } return $class; }
🧯 If You Can't Patch
- Implement strict content security policy (CSP) headers to restrict script execution
- Use web application firewall (WAF) rules to block suspicious shortcode attributes
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for WPBakery Page Builder version 8.6.1 or lower.Check Version:
wp plugin list --name=WPBakery --field=versionVerify Fix Applied:
Confirm plugin version is 8.6.2 or higher in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to wp-admin/post.php with vc_custom_heading parameters
- Multiple failed login attempts followed by successful contributor login
Network Indicators:
- Outbound connections to unknown domains after page load
- Unexpected script tags in page source containing vc_custom_heading
SIEM Query:
source="wordpress.log" AND "vc_custom_heading" AND ("script" OR "onerror" OR "javascript:")