CVE-2025-11160 is a stored cross-site scripting vulnerability identified in the WPBakery Page Builder plugin for WordPress, affecting all versions up to and including 8.6.1. The root cause is insufficient input sanitization and output escaping in the Custom JS module, which allows authenticated users with contributor-level or higher privileges to inject arbitrary JavaScript code into pages. When other users access these pages, the malicious scripts execute in their browsers, potentially compromising session tokens, user credentials, or enabling further attacks such as phishing or defacement. The vulnerability requires the attacker to have at least contributor access, which is a common permission level for content creators, making it a realistic threat in multi-user WordPress environments. The CVSS 3.1 score of 6.4 reflects a medium severity, with network attack vector, low attack complexity, privileges required, no user interaction, and a scope change indicating that the vulnerability affects resources beyond the initially compromised component. The impact primarily affects confidentiality and integrity, with no direct availability impact. No patches are currently linked, and no known exploits have been reported in the wild, but the vulnerability is publicly disclosed and should be addressed promptly. The vulnerability is categorized under CWE-80, indicating improper neutralization of script-related HTML tags, a classic XSS flaw. This vulnerability can be leveraged to perform persistent XSS attacks, which are more dangerous than reflected XSS due to their persistence and wider impact. Organizations using WPBakery Page Builder should review user permissions, especially for contributors, and consider disabling or restricting the Custom JS module until a patch is available. Monitoring and logging for suspicious script injections and unusual editor activity is also recommended.

For European organizations, this vulnerability poses a significant risk to websites using WPBakery Page Builder, particularly those with multiple content contributors. Exploitation can lead to session hijacking, unauthorized actions on behalf of users, data theft, and reputational damage. Since the attack requires contributor-level access, insider threats or compromised contributor accounts are primary vectors. The persistent nature of the XSS can affect all visitors to the injected pages, potentially leading to widespread compromise of user data and trust. This is especially critical for e-commerce, government, and financial sector websites where user data confidentiality and integrity are paramount. Additionally, GDPR compliance may be impacted if personal data is exposed or mishandled due to exploitation. The lack of availability impact reduces the risk of service disruption but does not diminish the threat to data security and user trust. European organizations with large WordPress deployments and extensive contributor bases are at higher risk, necessitating urgent attention to this vulnerability.

1. Immediately review and restrict contributor-level permissions to trusted users only, minimizing the risk of malicious script injection. 2. Disable or restrict access to the WPBakery Page Builder Custom JS module until an official patch is released. 3. Implement strict Content Security Policies (CSP) to limit the execution of unauthorized scripts on affected websites. 4. Employ web application firewalls (WAF) with rules targeting XSS payloads and suspicious Custom JS module activity. 5. Monitor logs and audit trails for unusual editor activity or unexpected JavaScript injections. 6. Educate content contributors about the risks of injecting arbitrary scripts and enforce secure coding practices. 7. Regularly update WPBakery Page Builder once a patch is available and verify the integrity of plugin files. 8. Conduct periodic security assessments and penetration testing focusing on XSS vulnerabilities in content management systems. 9. Consider isolating or sandboxing user-generated scripts to prevent them from affecting other users or site components. 10. Backup website data regularly to enable quick recovery in case of compromise.