Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' attribute of the bt_bb_button shortcode in all versions up to, and including, 5.6.8. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Stored Cross-Site Scripting in the Bold Page Builder WordPress plugin (versions up to and including 5.6.8) allows authenticated attackers holding contributor-level access or higher to inject persistent malicious JavaScript via the 'text' attribute of the bt_bb_button shortcode. The script executes in the browser of any user who subsequently loads the compromised page, including administrators, enabling session hijacking or unauthorized action execution under victim identity. No active exploitation is confirmed - the vulnerability is absent from CISA KEV, carries an EPSS score of 0.03% (8th percentile), and SSVC designates exploitation status as none.
Technical ContextAI
The Bold Page Builder plugin (vendor: BoldThemes, CPE: cpe:2.3:a:boldthemes:bold_page_builder:*:*:*:*:*:*:*:*) extends the WordPress shortcode system with the bt_bb_button element, which accepts a user-controlled 'text' attribute. CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-site Scripting) identifies the root cause: the plugin neither sanitizes shortcode attribute values at input nor escapes them at render time, allowing raw script content to be persisted in WordPress post storage and then reflected into page HTML on every subsequent load. The CVSS Scope value of Changed (S:C) is significant - it confirms that the vulnerability crosses the plugin's own security boundary and affects the end-user's browser context, a common characteristic of stored XSS that enables impact beyond the WordPress application layer itself.
RemediationAI
Upstream fix available via WordPress plugin repository changeset at https://plugins.trac.wordpress.org/changeset/3479329/bold-page-builder; however, the exact patched release version number is not independently confirmed from the available data - administrators should verify the current version in the WordPress Plugin Directory and update to any release beyond 5.6.8. As a compensating control while patching is pending, restrict contributor-level role assignments to only fully trusted users, since the attack requires an authenticated account at that privilege tier or above - note that this may limit legitimate editorial workflows. Additionally, a Web Application Firewall (WAF) with WordPress-aware XSS rules (such as Wordfence's own firewall) can block injection attempts in transit, though WAF bypass is possible and should not substitute for patching.
More in Bold Page Builder
View allThe bt_bb_get_grid AJAX action of the Bold Page Builder WordPress plugin before 3.1.6 passes user input into the unseria
The Bold Page Builder WordPress plugin before 4.3.3 does not sanitise and escape some of its settings, which could allow
The bold-page-builder plugin before 2.3.2 for WordPress has no protection against modifying settings and importing data.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BoldThemes Bold Pa
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BoldThemes Bold Pa
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BoldThemes Bold Pa
The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via HTML Tags in all versions up
The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Price List' element in
The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's AI features all
The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bt_bb_price_lis
The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the URL attribute of widgets
The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30244
GHSA-jwrm-x45j-g8vv