CVE-2025-11160: 
WordPress vulnerability analysis and mitigation

The WPBakery Page Builder plugin for WordPress (versions up to 8.6.1) contains a Stored Cross-Site Scripting vulnerability (CVE-2025-11160) discovered on October 14, 2025. The vulnerability exists in the Custom JS module due to insufficient input sanitization and output escaping of user-supplied JavaScript code (NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The weakness is classified as CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page). The vulnerability requires an authenticated attacker with contributor-level access or higher to exploit (Wordfence).

When exploited, the vulnerability allows attackers to inject arbitrary web scripts into pages that will execute whenever a user accesses an injected page via the WPBakery Page Builder Custom JS module, provided they have access to the WPBakery editor for post types (NVD).

Based on the release notes, WPBakery has addressed this vulnerability in version 8.7.0 released on October 13, 2025. Users are advised to update to the latest version of the plugin (WPBakery KB).