CVE-2025-11161 is a stored cross-site scripting vulnerability identified in the WPBakery Page Builder plugin for WordPress, affecting all versions up to and including 8.6.1. The root cause is insufficient sanitization and improper restriction of allowed HTML tags within the font_container parameter of the vc_custom_heading shortcode. Authenticated attackers with contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into posts via specially crafted shortcode attributes. When any user accesses a page containing the malicious shortcode, the injected script executes in their browser context, potentially compromising session tokens, redirecting users, or performing actions on behalf of the victim. The vulnerability does not require user interaction beyond page viewing and has a CVSS 3.1 base score of 6.4, indicating medium severity. The attack vector is network-based with low attack complexity and privileges required at the contributor level. The scope is changed since the vulnerability affects multiple users viewing the injected content. No public exploits have been reported yet, but the vulnerability is significant due to the popularity of WPBakery Page Builder and WordPress globally. The flaw is categorized under CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page), a common XSS weakness. Mitigation currently relies on limiting contributor permissions, sanitizing inputs, and monitoring for suspicious shortcode usage until an official patch is released.

For European organizations, this vulnerability poses a risk primarily to websites and web applications built on WordPress using the WPBakery Page Builder plugin. Given WordPress's dominant market share in Europe for content management systems, many organizations—ranging from SMEs to large enterprises—could be exposed. Exploitation can lead to session hijacking, defacement, unauthorized actions performed on behalf of users, and potential data leakage, undermining user trust and compliance with data protection regulations such as GDPR. The requirement for contributor-level access limits the attack surface but insider threats or compromised accounts could be leveraged. The vulnerability could also be used as a foothold for further attacks within an organization's network. The impact on confidentiality and integrity is moderate, while availability is not affected. Organizations with public-facing WordPress sites, especially those handling sensitive user data or e-commerce, face reputational and operational risks. The medium severity rating suggests prioritization but not emergency response unless combined with other threats.

1. Immediately review and restrict contributor-level permissions to trusted users only, minimizing the risk of malicious shortcode injection. 2. Implement strict input validation and sanitization on all user-generated content, particularly for shortcodes and HTML attributes, using server-side filtering libraries or WordPress security plugins that enforce content sanitization. 3. Monitor WordPress sites for unusual shortcode usage or unexpected script tags within posts, employing automated scanning tools or SIEM alerts. 4. Disable or restrict the use of the vc_custom_heading shortcode for contributors if possible until a patch is available. 5. Maintain regular backups of website content to enable rapid restoration if defacement or compromise occurs. 6. Stay informed about updates from WPBakery and apply security patches promptly once released. 7. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 8. Educate content creators and administrators about the risks of XSS and the importance of secure content management practices.