WPBakery Flaw Enables Code Injection

A security warning has been released for the widely used WPBakery page builder plugin, which comes packaged with thousands of WordPress themes. The flaw allows logged-in attackers to upload and run harmful scripts that trigger whenever a visitor accesses a compromised page.

WPBakery Plugin

WPBakery is a WordPress plugin that allows users to design custom pages and layouts through a simple drag-and-drop interface, eliminating the need for coding skills. It’s commonly included with many premium themes, as developers often license it to offer built-in page-building features to their users.

WPBakery Vulnerability

A recent discovery has brought to light a critical security issue in the WPBakery Page Builder plugin for WordPress, one of the most widely used tools for creating drag-and-drop layouts. The flaw lies in the plugin’s Custom JS module, where inadequate input sanitisation and output escaping have been found. These two essential processes are meant to protect websites from harmful data being uploaded or executed, and when they fail, they create serious vulnerabilities.

Input sanitisation is the process of filtering or cleaning data entered by users before it is stored or processed by the plugin. Without this layer of protection, malicious scripts or harmful code can be introduced into a site’s database or functionality. Output escaping, on the other hand, ensures that special HTML characters are safely displayed on web pages instead of being executed as code. When output escaping is not properly implemented, it can allow attackers to inject and run code directly on a live website, putting visitors and administrators at risk.

Due to this issue, attackers with contributor-level access or higher may be able to exploit the plugin by injecting arbitrary scripts into vulnerable websites. Once the malicious code is active, it could potentially affect how the site functions, steal sensitive information, or redirect users to unsafe external pages. In more severe cases, this kind of weakness can lead to Cross-Site Scripting (XSS) and SQL Injection vulnerabilities, which are among the most common and dangerous threats faced by WordPress users.

This particular flaw affects all versions of the WPBakery Page Builder plugin up to and including version 8.6.1. It’s worth noting that WPBakery is bundled with thousands of premium WordPress themes, meaning the risk extends to many websites that may not even realise they are using the plugin. Websites built with older versions of these themes could unknowingly remain exposed to the threat.

Given how easily attackers can exploit these weaknesses once they gain access, it’s vital for all users and developers relying on WPBakery to take immediate action. The recommended solution is to update the plugin to the most recent version, which is version 8.7. This update includes essential security patches that fix the input sanitisation and output escaping issues, thereby closing the loophole that attackers could take advantage of.

Regularly updating WordPress plugins is one of the simplest yet most effective ways to prevent security breaches. Cybercriminals often look for outdated software as easy targets, and even a small delay in applying security updates can leave websites vulnerable. In addition to updating WPBakery, users should also ensure their WordPress core, themes, and other plugins are kept up to date to reduce overall risk.

Website administrators are also encouraged to review their site’s access permissions. Reducing the number of accounts with contributor or higher-level privileges can limit the potential damage if an account is ever compromised. Monitoring site activity logs and using a security plugin to scan for unusual behaviour can provide an additional layer of protection.

While the flaw in WPBakery has now been addressed, it serves as an important reminder of the ongoing need for proactive security management in WordPress sites. The platform’s flexibility and popularity make it a frequent target for cyberattacks, but with regular updates, careful access control, and awareness of potential vulnerabilities, site owners can greatly reduce their exposure to threats.

In summary, the WPBakery vulnerability highlights the importance of consistent plugin maintenance and the role of secure coding practices such as input sanitisation and output escaping. WordPress users who depend on WPBakery should not delay in upgrading to version 8.7 to ensure their sites remain safe, functional, and resistant to future attacks.