PT-2025-42239 · WordPress · Wpbakery Page Builder

Published

2025-10-15

Updated

2025-11-26

CVE-2025-11161

CVSS v3.1

6.4

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions WPBakery Page Builder versions prior to 8.6.2

Description The WPBakery Page Builder plugin for WordPress is susceptible to Stored Cross-Site Scripting through the vc custom heading shortcode. This is caused by inadequate restriction of permitted HTML tags and improper sanitization of user-supplied attributes within the font container parameter. Authenticated attackers with contributor-level access or higher can inject arbitrary web scripts into posts. These scripts will execute when a user accesses an injected page using the vc custom heading shortcode with malicious tag and text attributes.

Recommendations Update WPBakery Page Builder to version 8.6.2 or later.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-80

Related Identifiers

CVE-2025-11161

Affected Products

Wpbakery Page Builder

PT-2025-42239 · WordPress · Wpbakery Page Builder

CVE-2025-11161

Weakness Enumeration

Related Identifiers

Affected Products

References · 7