CVE-2025-11161
WPBakery Page Builder <= 8.6.1 - Stored Cross-Site Scripting via vc_custom_heading ShortcodeThe WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the vc_custom_heading shortcode in all versions up to, and including, 8.6.1. This is due to insufficient restriction of allowed HTML tags and improper sanitization of user-supplied attributes in the font_container parameter. This makes it possible for authenticated attackers with contributor-level access or higher to inject arbitrary web scripts in posts that will execute whenever a user accesses an injected page via the vc_custom_heading shortcode with malicious tag and text attributes granted they have access to use WPBakery shortcodes.
We have discovered 1,101,202 live websites that are affected by CVE-2025-11161.
Affected Software
| Product |  WPBakery |
| Category | Wordpress Plugins |
| Vulnerable Domains | 1,101,202 live websites (87% of WPBakery install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 235 versions ( 97% of all versions) |
Common Weakness Enumeration
CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)Details
- Published - Oct 15, 2025
- Updated - Apr 8, 2026
Credits
- Muhammad Yudha - DJ (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-11161 United States | 294,522 websites |
 Germany | 113,169 websites |
 Italy | 68,253 websites |
 France | 66,529 websites |
 GB | 53,041 websites |
 Spain | 39,750 websites |
 Netherlands | 39,238 websites |
 Poland | 26,326 websites |
 Canada | 24,412 websites |
 Russia | 23,957 websites |
Website Distribution by TLD
Number of websites using CVE-2025-11161| .com | 458,275 websites |
| .de | 61,592 websites |
| .it | 48,590 websites |
| .org | 39,611 websites |
| .nl | 35,200 websites |
| .co.uk | 32,771 websites |
| .fr | 26,534 websites |
| .net | 20,887 websites |
| .com.br | 20,605 websites |
| .com.au | 20,561 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-11161
Top websites that are affected by CVE-2025-11161. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ***.********.com | United States | *** | |
| **********.com | United States | *** | |
| *************.uk | United States | *,*** | |
| *********.nl | United States | *,*** | |
| ********.com | United States | *,*** | |
| ****.eu |  Belgium | *,*** | |
| ***********.com |  Switzerland | *,*** | |
| *********.com | United States | *,*** | |
| ****.edu | United States | *,*** | |
| ******.com | United States | *,*** |
FAQ
CVE-2025-11161 is Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in WPBakery
A total of 1,101,202 websites have been identified as vulnerable to CVE-2025-11161, based on global website indexing conducted by WebTechSurvey.
The WPBakery is affected by the CVE-2025-11161 vulnerability.
WPBakery versions up to and including 8.6.1 are vulnerable to CVE-2025-11161.