The Bold Page Builder plugin allows an authenticated user with contributor-level access or higher to embed malicious scripts through the bt_bb_tabs shortcode. User supplied attributes of the shortcode are not properly sanitized or escaped, letting the attacker store arbitrary JavaScript that later executes whenever anyone views the affected page. This stored XSS flaw is classified as CWE‑80 and can be used to steal session cookies, deface content, or launch further attacks against site visitors. The impact is confined to the web page where the shortcode is used but can affect all users who load that page, compromising confidentiality, integrity, and potentially availability through denial‑of‑service actions carried out by the injected code.

Bold Themes’ Bold Page Builder plug‑in for WordPress, all released versions up to and including 5.5.1. Users running any of these versions are at risk, regardless of WordPress core version. The vulnerability is present in the bt_bb_tabs content element and is tied to the shortcode functionality.

The CVSS score of 6.4 labels this flaw as medium severity, and the EPSS score of less than 1 % indicates a low probability that the vulnerability will be targeted in the near term. The attacker must be authenticated with contributor or higher privileges, so the attack vector is authenticated. Although not listed in the CISA KEV catalog, the flaw is exploitable in any site where contributors can insert or edit shortcode attributes. If a malicious contributor is present or a site’s role permissions are mis‑configured, the stored scripts will run for every visitor, enabling widespread compromise.