Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BoldGrid Post and Page Builder by BoldGrid post-and-page-builder allows Stored XSS.This issue affects Post and Page Builder by BoldGrid: from n/a through <= 1.27.5.
Published: 2025-01-15
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of user input during page rendering in the WordPress Post and Page Builder by BoldGrid results in a stored cross‑site scripting (XSS) flaw. Attackers can embed malicious scripts that execute in the browser when the affected page is viewed, potentially exposing session cookies, defacing content or executing further attacks against site users. The flaw is a classic input validation oversight (CWE‑79).

Affected Systems

The vulnerability impacts the BoldGrid Post and Page Builder plugin for WordPress, affecting all versions from the first release up to and including 1.27.5. Users running any of these plugin versions on a WordPress site are susceptible. No other vendors or products are listed as affected.

Risk and Exploitability

The CVSS score of 6.5 reflects a moderate severity, while the EPSS score of less than 1% indicates a low probability of widespread exploitation at present. The flaw is not yet documented in the CISA KEV catalog, but its existence is publicly known and could be leveraged by attackers who can input crafted content into the builder interface. An attacker would typically craft malicious payloads that are stored by the plugin and later rendered in the page, thus executing in the context of any visitor.

Generated by OpenCVE AI on May 2, 2026 at 06:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Post and Page Builder plugin to the latest available version, which removes the stored XSS issue.
  • If an immediate update is not possible, disable the plugin or delete any pages built with it until the patch is applied.
  • Review existing pages and sanitize any content that was previously entered through the builder to eliminate embedded scripts.

Generated by OpenCVE AI on May 2, 2026 at 06:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2973 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BoldGrid Post and Page Builder by BoldGrid – Visual Drag and Drop Editor allows Stored XSS.This issue affects Post and Page Builder by BoldGrid – Visual Drag and Drop Editor: from n/a through 1.27.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BoldGrid Post and Page Builder by BoldGrid – Visual Drag and Drop Editor allows Stored XSS.This issue affects Post and Page Builder by BoldGrid – Visual Drag and Drop Editor: from n/a through 1.27.4. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BoldGrid Post and Page Builder by BoldGrid post-and-page-builder allows Stored XSS.This issue affects Post and Page Builder by BoldGrid: from n/a through <= 1.27.5.
Title WordPress Post and Page Builder by BoldGrid – Visual Drag and Drop Editor plugin <= 1.27.4 - Cross Site Scripting (XSS) vulnerability WordPress Post and Page Builder by BoldGrid – Visual Drag and Drop Editor plugin <= 1.27.5 - Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Wed, 19 Mar 2025 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Boldgrid
Boldgrid post And Page Builder By Boldgrid - Visual Drag And Drop Editor
CPEs cpe:2.3:a:boldgrid:post_and_page_builder_by_boldgrid_-_visual_drag_and_drop_editor:*:*:*:*:*:wordpress:*:*
Vendors & Products Boldgrid
Boldgrid post And Page Builder By Boldgrid - Visual Drag And Drop Editor

Wed, 15 Jan 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Jan 2025 15:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BoldGrid Post and Page Builder by BoldGrid – Visual Drag and Drop Editor allows Stored XSS.This issue affects Post and Page Builder by BoldGrid – Visual Drag and Drop Editor: from n/a through 1.27.4.
Title WordPress Post and Page Builder by BoldGrid – Visual Drag and Drop Editor plugin <= 1.27.4 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Boldgrid Post And Page Builder By Boldgrid - Visual Drag And Drop Editor
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:06.778Z

Reserved: 2025-01-07T21:04:45.366Z

Link: CVE-2025-22759

cve-icon Vulnrichment

Updated: 2025-01-15T19:06:49.723Z

cve-icon NVD

Status : Modified

Published: 2025-01-15T16:15:38.733

Modified: 2026-04-23T15:23:33.900

Link: CVE-2025-22759

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T06:30:36Z

Weaknesses