CVE-2025-11160 is a stored cross-site scripting vulnerability identified in the WPBakery Page Builder plugin for WordPress, affecting all versions up to and including 8.6.1. The vulnerability stems from insufficient input sanitization and output escaping in the Custom JS module, which allows authenticated users with contributor-level access or higher to inject arbitrary JavaScript code into pages. When other users access these compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the context of the victim's session. The vulnerability does not require user interaction beyond visiting the infected page and does not require elevated privileges beyond contributor-level access, which is commonly granted to many users in WordPress environments. The CVSS 3.1 score of 6.4 reflects a medium severity, with network attack vector, low attack complexity, and privileges required but no user interaction needed. The vulnerability impacts confidentiality and integrity but not availability. No patches are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability is classified under CWE-80, indicating improper neutralization of script-related HTML tags, a common XSS category. This vulnerability highlights the risks of insufficient input validation in widely used CMS plugins and the importance of strict content sanitization in user-editable modules.

The primary impact of CVE-2025-11160 is the potential for attackers with contributor-level access to inject persistent malicious scripts into WordPress sites using WPBakery Page Builder. This can lead to session hijacking, theft of sensitive user data, unauthorized actions performed on behalf of users, and defacement or redirection attacks. Since the injected scripts execute in the context of the victim's browser, any user visiting the compromised page is at risk. For organizations, this can result in reputational damage, loss of customer trust, data breaches, and compliance violations. The medium severity score reflects that while the vulnerability requires some level of authentication, the attack complexity is low and the scope is broad due to WPBakery's widespread use. The vulnerability does not impact availability directly but compromises confidentiality and integrity, which can have serious downstream effects. E-commerce sites, membership platforms, and any WordPress-based service relying on WPBakery are particularly vulnerable to exploitation. The lack of known exploits in the wild suggests a window for proactive mitigation before widespread attacks occur.

1. Immediate mitigation should focus on restricting contributor-level access to trusted users only, minimizing the risk of malicious script injection. 2. Administrators should monitor and audit Custom JS module content regularly for unauthorized or suspicious scripts. 3. Implement a Web Application Firewall (WAF) with rules to detect and block common XSS payloads targeting WPBakery Custom JS inputs. 4. Disable or restrict the use of the Custom JS module if it is not essential to site functionality. 5. Employ Content Security Policy (CSP) headers to limit the execution of inline scripts and reduce the impact of injected scripts. 6. Stay alert for official patches or updates from WPBakery and apply them promptly once available. 7. Educate site administrators and contributors about the risks of injecting JavaScript and enforce strict content policies. 8. Use security plugins that can scan for malicious code injections within WordPress content. These measures combined can reduce the attack surface and mitigate exploitation risks until an official patch is released.