CVE-2025-11161 WPBakery Page Builder <= 8.6.1 - Stored Cross-Site Scripting via vc_custom_heading Shortcode

The WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the vccustomheading shortcode in all versions up to, and including, 8.6.1. This is due to insufficient restriction of allowed HTML tags and improper sanitization of user-supplied attributes in the...