Scroll to top
651 N Broad St, Suite 206,
MiddleTown, New Castle,
Delaware - 19709
635 Ashprior Avenue,
Mississauga, Ontario,
Canada - L5R3N6
34, Shiwanshu Bunglows
Vadodara, Gujarat - 390007

WP Bakery WordPress Vulnerability Affects Millions of sites

67 / 100

To start with let me inform you that the researchers have researched that the vulnerability allows an attacker to go ahead and post some codes that would rather disrupt the entire page or your site.

Wp bakery for WordPress websites

So, let’s learn more about it in detail. Firstly, let’s see what Authenticated Stored Cross-Scripting is. So let’s get started.

Authenticated Stored Cross-Scripting Vulnerability (XSS)

In Cross-Scripting Vulnerability, the attacker basically has the ability to target the browser of the users. This is done by the use of some malicious scripts or codes that were there on the site. These are some of the most common types of Vulnerability found today.

If the script is placed on the website itself then it is known as Stored XSS Vulnerability. Authenticated Stored Cross -Scripting Vulnerability simply means that the attacker needs to have the credentials of the website in order to attack the site.

So basically, this is not that critical as the attacker needs to have the credentials in hand for him to perform the malicious attack.

WP Bakery Authenticated Stored XSS vulnerability

The WP Bakery vulnerability needs the attacker to obtain contributor or author level posting credentials to a website. 

Once an attacker has the credentials they are able to inject scripts on any posts or pages. It also gives the attacker the opportunity to modify the posts that other users have made. However, this vulnerability had a lot of issues.

Some of the issues were like it allowed the injection of HTML and JavaScript into the users’ posts or a page that was credentialed and not only that but also to those of the other authors. Also, the targeted button had a  JavaScript functionality that was attached to it making it even worse by giving the other users an ability to simply edit other users’ posts.

Also read: A Plugin bug that is breaking thousands of WordPress Websites

WP Bakery Page Builder 6.4 and Under are affected

Let’s check on the history of WP Bakery Page Builder. The vulnerability was basically discovered in late July 2020. In late August, another patch was released by WP Bakery, but there were still some issues including a second patch that was released in early September. On September 24, 2020, the final patch that closed the vulnerability was released. 

WP Bakery Builder is the most common and popular page builder for WordPress. The drag and drop facilities make the users easy to use it while creating a different kind of custom pages.

Plugin software developers post a changelog and the content of the changelog is what appears in the WordPress admin plugin field to basically communicate as to what the update is all about.

Sadly, the changelog of WP Bakery does not reflect the urgency of the update because it does not specifically mention that vulnerability is being fixed. The changelog refers to patches of vulnerability as upgrades.

In the latest version of WPBakery by default, lower-level users no longer have unfiltered HTML capabilities, but administrators can grant permission if they want to. Furthermore, users without the appropriate privileges can no longer edit the posts of other users, access the page builder unless permitted or use shortcodes that might allow malicious JavaScript to be injected.

Normally you will see that the WP Bakery Page Builder is included in the themes.

The latest version of WP Bakery Page Builder is 6.4.1 So it becomes vital that you have been upgraded to the latest version of WP Bakery Page Builder. Also, I would give a quick suggestion to my readers that do not have any untrusted contributor or any author user accounts on your website.


In today’s post, I have given a gist about the flaws in WPBakery Plugin that allowed the users to inject malicious JavaScript into the posts using the WPBakery Page Builder.

Since WPBakery is a premium plugin also used as a page builder with various premium themes, with your theme purchase, you can need to double-check if any updates are available to you. You should be alerted to the version installed on your site by checking the plugin version number on your plugin dashboard.

So if you have your friends, colleagues, or anyone who uses this plugin on their site, I would highly recommend them to protect their sites and they can check out this post so that they have an idea about the various flaws that occur.

If you have liked this post and have helped you then do let me know in the comments section.

Author avatar
Tim Michaels
I am into WordPress and web development for the last 10 years. I use my experience to help people just starting with WordPress. Follow my blog at WP Uber for everything related to WordPress.
We use cookies to give you the best experience.
Do NOT follow this link or you will be banned from the site!