CVE-2025-11161 is a stored cross-site scripting vulnerability classified under CWE-80, found in the WPBakery Page Builder plugin for WordPress, specifically in all versions up to and including 8.6.1. The vulnerability stems from insufficient restrictions on allowed HTML tags and improper sanitization of user-supplied attributes within the font_container parameter of the vc_custom_heading shortcode. This flaw allows authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into posts. When other users access pages containing the malicious shortcode, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or data theft. The vulnerability requires no user interaction beyond visiting the compromised page but does require authenticated access to inject the payload. The CVSS 3.1 score of 6.4 reflects a medium severity, with network attack vector, low attack complexity, privileges required, no user interaction, and a scope change indicating that the vulnerability affects components beyond the initially vulnerable plugin. Although no known exploits have been reported in the wild, the vulnerability poses a significant risk in multi-user WordPress environments where contributors can add content. The lack of official patches at the time of publication necessitates immediate mitigation efforts by administrators.

The primary impact of CVE-2025-11161 is the compromise of confidentiality and integrity within affected WordPress sites using WPBakery Page Builder. Attackers with contributor-level access can inject malicious scripts that execute in the context of other users' browsers, potentially stealing session cookies, defacing content, or performing actions on behalf of victims. This can lead to unauthorized access escalation, data leakage, and reputational damage. Since the vulnerability does not affect availability, denial-of-service is less of a concern. However, the scope change in the CVSS vector indicates that the vulnerability can affect components beyond the plugin itself, potentially impacting the broader WordPress environment. Organizations with multiple contributors or editors are at higher risk, especially those that do not restrict shortcode usage or lack strict content moderation. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once the vulnerability becomes widely known.

To mitigate CVE-2025-11161, organizations should first verify if they are running WPBakery Page Builder versions up to 8.6.1 and plan to upgrade to a patched version once available. In the absence of an official patch, administrators should restrict contributor-level users from using the vc_custom_heading shortcode or disable shortcode usage entirely for lower-privileged roles. Implementing a strict content filtering policy that sanitizes or strips potentially dangerous HTML tags and attributes in user-generated content can reduce risk. Employing a Web Application Firewall (WAF) with rules targeting XSS payloads related to WPBakery shortcodes can provide additional protection. Regularly auditing user roles and permissions to minimize the number of users with contributor or higher access reduces the attack surface. Monitoring logs for unusual shortcode usage or script injections can help detect exploitation attempts early. Finally, educating content contributors about safe content practices and the risks of injecting untrusted HTML can further mitigate risks.