Skip to main content

Bold Page Builder CVE-2026-3694

| EUVDEUVD-2026-30244 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-14 Wordfence GHSA-jwrm-x45j-g8vv
6.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 10:46 vuln.today
CVE Published
May 14, 2026 - 06:44 nvd
MEDIUM 6.4

DescriptionCVE.org

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' attribute of the bt_bb_button shortcode in all versions up to, and including, 5.6.8. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored Cross-Site Scripting in the Bold Page Builder WordPress plugin (versions up to and including 5.6.8) allows authenticated attackers holding contributor-level access or higher to inject persistent malicious JavaScript via the 'text' attribute of the bt_bb_button shortcode. The script executes in the browser of any user who subsequently loads the compromised page, including administrators, enabling session hijacking or unauthorized action execution under victim identity. No active exploitation is confirmed - the vulnerability is absent from CISA KEV, carries an EPSS score of 0.03% (8th percentile), and SSVC designates exploitation status as none.

Technical ContextAI

The Bold Page Builder plugin (vendor: BoldThemes, CPE: cpe:2.3:a:boldthemes:bold_page_builder:*:*:*:*:*:*:*:*) extends the WordPress shortcode system with the bt_bb_button element, which accepts a user-controlled 'text' attribute. CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-site Scripting) identifies the root cause: the plugin neither sanitizes shortcode attribute values at input nor escapes them at render time, allowing raw script content to be persisted in WordPress post storage and then reflected into page HTML on every subsequent load. The CVSS Scope value of Changed (S:C) is significant - it confirms that the vulnerability crosses the plugin's own security boundary and affects the end-user's browser context, a common characteristic of stored XSS that enables impact beyond the WordPress application layer itself.

RemediationAI

Upstream fix available via WordPress plugin repository changeset at https://plugins.trac.wordpress.org/changeset/3479329/bold-page-builder; however, the exact patched release version number is not independently confirmed from the available data - administrators should verify the current version in the WordPress Plugin Directory and update to any release beyond 5.6.8. As a compensating control while patching is pending, restrict contributor-level role assignments to only fully trusted users, since the attack requires an authenticated account at that privilege tier or above - note that this may limit legitimate editorial workflows. Additionally, a Web Application Firewall (WAF) with WordPress-aware XSS rules (such as Wordfence's own firewall) can block injection attempts in transit, though WAF bypass is possible and should not substitute for patching.

CVE-2021-24579 HIGH POC
8.8 Aug 30

The bt_bb_get_grid AJAX action of the Bold Page Builder WordPress plugin before 3.1.6 passes user input into the unseria

CVE-2022-2089 MEDIUM POC
4.8 Jul 11

The Bold Page Builder WordPress plugin before 4.3.3 does not sanitise and escape some of its settings, which could allow

CVE-2019-15821 HIGH
7.5 Aug 30

The bold-page-builder plugin before 2.3.2 for WordPress has no protection against modifying settings and importing data.

CVE-2024-30179 MEDIUM
6.5 Mar 27

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BoldThemes Bold Pa

CVE-2023-49823 MEDIUM
6.5 Dec 15

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BoldThemes Bold Pa

CVE-2024-30442 MEDIUM
6.5 Mar 29

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BoldThemes Bold Pa

CVE-2024-2736 MEDIUM
6.4 Apr 10

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via HTML Tags in all versions up

CVE-2024-2735 MEDIUM
6.4 Apr 10

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Price List' element in

CVE-2024-2734 MEDIUM
6.4 Apr 10

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's AI features all

CVE-2024-3267 MEDIUM
6.4 Apr 09

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bt_bb_price_lis

CVE-2024-3266 MEDIUM
6.4 Apr 09

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the URL attribute of widgets

CVE-2024-1159 MEDIUM
6.4 Feb 13

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in

Share

CVE-2026-3694 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy