Search criteria
10 vulnerabilities found for WPBakery Page Builder by WPBakery
CVE-2025-10006 (GCVE-0-2025-10006)
Vulnerability from cvelistv5 – Published: 2025-10-18 06:42 – Updated: 2025-10-20 18:54
VLAI?
Title
WPBakery Page Builder <= 8.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
Summary
The WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'rev_slider_vc' shortcode in all versions up to, and including, 8.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This is only exploitable when RevSlider is also installed.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpbakery | WPBakery Page Builder |
Affected:
* , ≤ 8.6
(semver)
|
Credits
Matthew Rollings
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10006",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-20T18:52:12.099082Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-20T18:54:49.608Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WPBakery Page Builder",
"vendor": "wpbakery",
"versions": [
{
"lessThanOrEqual": "8.6",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Matthew Rollings"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s \u0027rev_slider_vc\u0027 shortcode in all versions up to, and including, 8.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This is only exploitable when RevSlider is also installed."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-18T06:42:45.649Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4d7b12e5-0de7-45f4-84e0-083818912623?source=cve"
},
{
"url": "https://kb.wpbakery.com/docs/preface/release-notes/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-04T19:25:33.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-10-17T18:22:34.000+00:00",
"value": "Disclosed"
}
],
"title": "WPBakery Page Builder \u003c= 8.6 - Authenticated (Contributor+) Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-10006",
"datePublished": "2025-10-18T06:42:45.649Z",
"dateReserved": "2025-09-04T19:10:21.646Z",
"dateUpdated": "2025-10-20T18:54:49.608Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-11160 (GCVE-0-2025-11160)
Vulnerability from cvelistv5 – Published: 2025-10-15 06:43 – Updated: 2025-10-15 15:27
VLAI?
Title
WPBakery Page Builder <= 8.6.1 - Stored Cross-Site Scripting via Custom JS Module
Summary
The WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom JS module in all versions up to, and including, 8.6.1. This is due to insufficient input sanitization and output escaping of user-supplied JavaScript code in the Custom JS module. This makes it possible for authenticated attackers with contributor-level access or higher to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via the WPBakery Page Builder Custom JS module granted they have access to the WPBakery editor for post types.
Severity ?
6.4 (Medium)
CWE
- CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpbakery | WPBakery Page Builder |
Affected:
* , ≤ 8.6.1
(semver)
|
Credits
Muhammad Yudha - DJ
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11160",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-15T15:27:02.138023Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T15:27:46.878Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WPBakery Page Builder",
"vendor": "wpbakery",
"versions": [
{
"lessThanOrEqual": "8.6.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Yudha - DJ"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom JS module in all versions up to, and including, 8.6.1. This is due to insufficient input sanitization and output escaping of user-supplied JavaScript code in the Custom JS module. This makes it possible for authenticated attackers with contributor-level access or higher to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via the WPBakery Page Builder Custom JS module granted they have access to the WPBakery editor for post types."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T06:43:56.953Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4c42cc4e-34e7-4f14-b850-7ba5dd2ae099?source=cve"
},
{
"url": "https://kb.wpbakery.com/docs/preface/release-notes/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-29T15:22:41.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-10-14T17:29:05.000+00:00",
"value": "Disclosed"
}
],
"title": "WPBakery Page Builder \u003c= 8.6.1 - Stored Cross-Site Scripting via Custom JS Module"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-11160",
"datePublished": "2025-10-15T06:43:56.953Z",
"dateReserved": "2025-09-29T15:06:39.179Z",
"dateUpdated": "2025-10-15T15:27:46.878Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-11161 (GCVE-0-2025-11161)
Vulnerability from cvelistv5 – Published: 2025-10-15 06:43 – Updated: 2025-10-15 16:13
VLAI?
Title
WPBakery Page Builder <= 8.6.1 - Stored Cross-Site Scripting via vc_custom_heading Shortcode
Summary
The WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the vc_custom_heading shortcode in all versions up to, and including, 8.6.1. This is due to insufficient restriction of allowed HTML tags and improper sanitization of user-supplied attributes in the font_container parameter. This makes it possible for authenticated attackers with contributor-level access or higher to inject arbitrary web scripts in posts that will execute whenever a user accesses an injected page via the vc_custom_heading shortcode with malicious tag and text attributes granted they have access to use WPBakery shortcodes.
Severity ?
6.4 (Medium)
CWE
- CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpbakery | WPBakery Page Builder |
Affected:
* , ≤ 8.6.1
(semver)
|
Credits
Muhammad Yudha - DJ
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11161",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-15T16:12:29.182581Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T16:13:10.184Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WPBakery Page Builder",
"vendor": "wpbakery",
"versions": [
{
"lessThanOrEqual": "8.6.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Yudha - DJ"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the vc_custom_heading shortcode in all versions up to, and including, 8.6.1. This is due to insufficient restriction of allowed HTML tags and improper sanitization of user-supplied attributes in the font_container parameter. This makes it possible for authenticated attackers with contributor-level access or higher to inject arbitrary web scripts in posts that will execute whenever a user accesses an injected page via the vc_custom_heading shortcode with malicious tag and text attributes granted they have access to use WPBakery shortcodes."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T06:43:56.365Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2772cade-c625-437a-b57b-ce8a2e3393bf?source=cve"
},
{
"url": "http://kb.wpbakery.com/docs/preface/release-notes/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-29T15:51:45.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-10-14T17:32:20.000+00:00",
"value": "Disclosed"
}
],
"title": "WPBakery Page Builder \u003c= 8.6.1 - Stored Cross-Site Scripting via vc_custom_heading Shortcode"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-11161",
"datePublished": "2025-10-15T06:43:56.365Z",
"dateReserved": "2025-09-29T15:17:13.737Z",
"dateUpdated": "2025-10-15T16:13:10.184Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-7502 (GCVE-0-2025-7502)
Vulnerability from cvelistv5 – Published: 2025-08-06 01:45 – Updated: 2025-08-06 15:31
VLAI?
Title
WPBakery Page Builder for WordPress <= 8.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
Summary
The WPBakery Page Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several shortcodes in all versions up to, and including, 8.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpbakery | WPBakery Page Builder |
Affected:
* , ≤ 8.5
(semver)
|
Credits
Matthew Rollings
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-7502",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-06T15:24:58.382415Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-06T15:31:36.491Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WPBakery Page Builder",
"vendor": "wpbakery",
"versions": [
{
"lessThanOrEqual": "8.5",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Matthew Rollings"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WPBakery Page Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several shortcodes in all versions up to, and including, 8.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-06T01:45:13.932Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d7c80143-c328-4cd1-95db-67de2edc058c?source=cve"
},
{
"url": "https://kb.wpbakery.com/docs/preface/release-notes/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-07-15T13:15:47.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-08-05T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "WPBakery Page Builder for WordPress \u003c= 8.5 - Authenticated (Contributor+) Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-7502",
"datePublished": "2025-08-06T01:45:13.932Z",
"dateReserved": "2025-07-11T18:10:32.390Z",
"dateUpdated": "2025-08-06T15:31:36.491Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-31213 (GCVE-0-2023-31213)
Vulnerability from cvelistv5 – Published: 2023-06-22 10:05 – Updated: 2024-10-10 17:25
VLAI?
Title
WordPress WPBakery Page Builder Plugin < 6.13.0 is vulnerable to Cross Site Scripting (XSS)
Summary
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in WPBakery Page Builder plugin <= 6.13.0 versions.
Severity ?
6.5 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WPBakery | WPBakery Page Builder |
Affected:
n/a , < 6.13.0
(custom)
|
Credits
Rafie Muhammad (Patchstack)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:53:30.590Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/js_composer/wordpress-wpbakery-page-builder-plugin-6-13-0-contributor-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-31213",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-10T17:24:46.344215Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-10T17:25:00.426Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wpbakery.com/",
"defaultStatus": "unaffected",
"packageName": "js_composer",
"product": "WPBakery Page Builder",
"vendor": "WPBakery",
"versions": [
{
"changes": [
{
"at": "6.13.0",
"status": "unaffected"
}
],
"lessThan": "6.13.0",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Rafie Muhammad (Patchstack)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in WPBakery Page Builder plugin \u0026lt;=\u003cspan style=\"background-color: var(--wht);\"\u003e\u0026nbsp;6.13.0 versions.\u003c/span\u003e"
}
],
"value": "Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in WPBakery Page Builder plugin \u003c=\u00a06.13.0 versions."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-22T10:05:58.652Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/js_composer/wordpress-wpbakery-page-builder-plugin-6-13-0-contributor-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u0026nbsp;6.13.0 or a higher version."
}
],
"value": "Update to\u00a06.13.0 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress WPBakery Page Builder Plugin \u003c 6.13.0 is vulnerable to Cross Site Scripting (XSS)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-31213",
"datePublished": "2023-06-22T10:05:58.652Z",
"dateReserved": "2023-04-25T12:01:56.445Z",
"dateUpdated": "2024-10-10T17:25:00.426Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-10006 (GCVE-0-2025-10006)
Vulnerability from nvd – Published: 2025-10-18 06:42 – Updated: 2025-10-20 18:54
VLAI?
Title
WPBakery Page Builder <= 8.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
Summary
The WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'rev_slider_vc' shortcode in all versions up to, and including, 8.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This is only exploitable when RevSlider is also installed.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpbakery | WPBakery Page Builder |
Affected:
* , ≤ 8.6
(semver)
|
Credits
Matthew Rollings
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10006",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-20T18:52:12.099082Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-20T18:54:49.608Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WPBakery Page Builder",
"vendor": "wpbakery",
"versions": [
{
"lessThanOrEqual": "8.6",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Matthew Rollings"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s \u0027rev_slider_vc\u0027 shortcode in all versions up to, and including, 8.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This is only exploitable when RevSlider is also installed."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-18T06:42:45.649Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4d7b12e5-0de7-45f4-84e0-083818912623?source=cve"
},
{
"url": "https://kb.wpbakery.com/docs/preface/release-notes/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-04T19:25:33.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-10-17T18:22:34.000+00:00",
"value": "Disclosed"
}
],
"title": "WPBakery Page Builder \u003c= 8.6 - Authenticated (Contributor+) Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-10006",
"datePublished": "2025-10-18T06:42:45.649Z",
"dateReserved": "2025-09-04T19:10:21.646Z",
"dateUpdated": "2025-10-20T18:54:49.608Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-11160 (GCVE-0-2025-11160)
Vulnerability from nvd – Published: 2025-10-15 06:43 – Updated: 2025-10-15 15:27
VLAI?
Title
WPBakery Page Builder <= 8.6.1 - Stored Cross-Site Scripting via Custom JS Module
Summary
The WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom JS module in all versions up to, and including, 8.6.1. This is due to insufficient input sanitization and output escaping of user-supplied JavaScript code in the Custom JS module. This makes it possible for authenticated attackers with contributor-level access or higher to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via the WPBakery Page Builder Custom JS module granted they have access to the WPBakery editor for post types.
Severity ?
6.4 (Medium)
CWE
- CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpbakery | WPBakery Page Builder |
Affected:
* , ≤ 8.6.1
(semver)
|
Credits
Muhammad Yudha - DJ
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11160",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-15T15:27:02.138023Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T15:27:46.878Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WPBakery Page Builder",
"vendor": "wpbakery",
"versions": [
{
"lessThanOrEqual": "8.6.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Yudha - DJ"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom JS module in all versions up to, and including, 8.6.1. This is due to insufficient input sanitization and output escaping of user-supplied JavaScript code in the Custom JS module. This makes it possible for authenticated attackers with contributor-level access or higher to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via the WPBakery Page Builder Custom JS module granted they have access to the WPBakery editor for post types."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T06:43:56.953Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4c42cc4e-34e7-4f14-b850-7ba5dd2ae099?source=cve"
},
{
"url": "https://kb.wpbakery.com/docs/preface/release-notes/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-29T15:22:41.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-10-14T17:29:05.000+00:00",
"value": "Disclosed"
}
],
"title": "WPBakery Page Builder \u003c= 8.6.1 - Stored Cross-Site Scripting via Custom JS Module"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-11160",
"datePublished": "2025-10-15T06:43:56.953Z",
"dateReserved": "2025-09-29T15:06:39.179Z",
"dateUpdated": "2025-10-15T15:27:46.878Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-11161 (GCVE-0-2025-11161)
Vulnerability from nvd – Published: 2025-10-15 06:43 – Updated: 2025-10-15 16:13
VLAI?
Title
WPBakery Page Builder <= 8.6.1 - Stored Cross-Site Scripting via vc_custom_heading Shortcode
Summary
The WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the vc_custom_heading shortcode in all versions up to, and including, 8.6.1. This is due to insufficient restriction of allowed HTML tags and improper sanitization of user-supplied attributes in the font_container parameter. This makes it possible for authenticated attackers with contributor-level access or higher to inject arbitrary web scripts in posts that will execute whenever a user accesses an injected page via the vc_custom_heading shortcode with malicious tag and text attributes granted they have access to use WPBakery shortcodes.
Severity ?
6.4 (Medium)
CWE
- CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpbakery | WPBakery Page Builder |
Affected:
* , ≤ 8.6.1
(semver)
|
Credits
Muhammad Yudha - DJ
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11161",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-15T16:12:29.182581Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T16:13:10.184Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WPBakery Page Builder",
"vendor": "wpbakery",
"versions": [
{
"lessThanOrEqual": "8.6.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Yudha - DJ"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the vc_custom_heading shortcode in all versions up to, and including, 8.6.1. This is due to insufficient restriction of allowed HTML tags and improper sanitization of user-supplied attributes in the font_container parameter. This makes it possible for authenticated attackers with contributor-level access or higher to inject arbitrary web scripts in posts that will execute whenever a user accesses an injected page via the vc_custom_heading shortcode with malicious tag and text attributes granted they have access to use WPBakery shortcodes."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T06:43:56.365Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2772cade-c625-437a-b57b-ce8a2e3393bf?source=cve"
},
{
"url": "http://kb.wpbakery.com/docs/preface/release-notes/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-29T15:51:45.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-10-14T17:32:20.000+00:00",
"value": "Disclosed"
}
],
"title": "WPBakery Page Builder \u003c= 8.6.1 - Stored Cross-Site Scripting via vc_custom_heading Shortcode"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-11161",
"datePublished": "2025-10-15T06:43:56.365Z",
"dateReserved": "2025-09-29T15:17:13.737Z",
"dateUpdated": "2025-10-15T16:13:10.184Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-7502 (GCVE-0-2025-7502)
Vulnerability from nvd – Published: 2025-08-06 01:45 – Updated: 2025-08-06 15:31
VLAI?
Title
WPBakery Page Builder for WordPress <= 8.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
Summary
The WPBakery Page Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several shortcodes in all versions up to, and including, 8.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpbakery | WPBakery Page Builder |
Affected:
* , ≤ 8.5
(semver)
|
Credits
Matthew Rollings
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-7502",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-06T15:24:58.382415Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-06T15:31:36.491Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WPBakery Page Builder",
"vendor": "wpbakery",
"versions": [
{
"lessThanOrEqual": "8.5",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Matthew Rollings"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WPBakery Page Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several shortcodes in all versions up to, and including, 8.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-06T01:45:13.932Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d7c80143-c328-4cd1-95db-67de2edc058c?source=cve"
},
{
"url": "https://kb.wpbakery.com/docs/preface/release-notes/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-07-15T13:15:47.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-08-05T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "WPBakery Page Builder for WordPress \u003c= 8.5 - Authenticated (Contributor+) Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-7502",
"datePublished": "2025-08-06T01:45:13.932Z",
"dateReserved": "2025-07-11T18:10:32.390Z",
"dateUpdated": "2025-08-06T15:31:36.491Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-31213 (GCVE-0-2023-31213)
Vulnerability from nvd – Published: 2023-06-22 10:05 – Updated: 2024-10-10 17:25
VLAI?
Title
WordPress WPBakery Page Builder Plugin < 6.13.0 is vulnerable to Cross Site Scripting (XSS)
Summary
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in WPBakery Page Builder plugin <= 6.13.0 versions.
Severity ?
6.5 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WPBakery | WPBakery Page Builder |
Affected:
n/a , < 6.13.0
(custom)
|
Credits
Rafie Muhammad (Patchstack)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:53:30.590Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/js_composer/wordpress-wpbakery-page-builder-plugin-6-13-0-contributor-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-31213",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-10T17:24:46.344215Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-10T17:25:00.426Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wpbakery.com/",
"defaultStatus": "unaffected",
"packageName": "js_composer",
"product": "WPBakery Page Builder",
"vendor": "WPBakery",
"versions": [
{
"changes": [
{
"at": "6.13.0",
"status": "unaffected"
}
],
"lessThan": "6.13.0",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Rafie Muhammad (Patchstack)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in WPBakery Page Builder plugin \u0026lt;=\u003cspan style=\"background-color: var(--wht);\"\u003e\u0026nbsp;6.13.0 versions.\u003c/span\u003e"
}
],
"value": "Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in WPBakery Page Builder plugin \u003c=\u00a06.13.0 versions."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-22T10:05:58.652Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/js_composer/wordpress-wpbakery-page-builder-plugin-6-13-0-contributor-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u0026nbsp;6.13.0 or a higher version."
}
],
"value": "Update to\u00a06.13.0 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress WPBakery Page Builder Plugin \u003c 6.13.0 is vulnerable to Cross Site Scripting (XSS)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-31213",
"datePublished": "2023-06-22T10:05:58.652Z",
"dateReserved": "2023-04-25T12:01:56.445Z",
"dateUpdated": "2024-10-10T17:25:00.426Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}