A new report by Roger Montti of Search Engine Journal has reported a serious security issue in the WPBakery page builder plugin for WordPress, a tool bundled with thousands of premium themes. The vulnerability in plugin versions up to 8.6.1 allows attackers with at least contributor-level access to inject and execute arbitrary JavaScript code on affected websites.
WPBakery is one of WordPress’s most popular page builders, offering users a simple drag-and-drop interface to create custom layouts without writing code. However, the recent discovery reveals weaknesses in how the plugin’s Custom JS module handles user input. Specifically, the flaw arises from inadequate input sanitization and missing output escaping, two crucial safeguards that prevent harmful code from being stored or displayed on a site.
When these security checks fail, attackers can upload malicious scripts that automatically execute when a visitor views an infected page. This type of exploit, called Cross-Site Scripting (XSS), can result in stolen credentials, unauthorized actions, or even full site compromise.
According to Montti’s report, the developers of WPBakery have already released version 8.7, which addresses the vulnerability. WordPress site owners using WPBakery are strongly advised to update their websites and notify visitors immediately to protect themselves from potential attacks.