Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in boldthemes Bold Page Builder bold-page-builder allows DOM-Based XSS.This issue affects Bold Page Builder: from n/a through <= 5.3.2.
Published: 2025-05-07
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a DOM‑based XSS flaw caused by improper neutralization of user input during web page generation. An attacker can inject malicious scripts that execute in the victim’s browser when a crafted URL or form input is processed by the Bold Page Builder plugin. The impact is limited to the execution of scripts in the victim’s browser, which may allow unauthorized actions within the context of the site’s content.

Affected Systems

Any WordPress site that has Bold Page Builder installed on a version up to and including 5.3.2 is affected. This includes all installations where the plugin is active on the server and serves admin or public pages that include the vulnerable code paths.

Risk and Exploitability

The CVSS score of 6.5 rates this as a moderate‑severity flaw. The EPSS score of less than 1% indicates a very low probability of exploitation at the time of analysis, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is the exploitation of DOM‑based XSS by directing a victim to a specially crafted URL or by submitting malicious input through the plugin’s interface, causing the browser to execute injected script in the page context.

Generated by OpenCVE AI on May 1, 2026 at 08:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Bold Page Builder to the latest version (5.3.3 or newer) which removes the DOM‑based XSS code path.
  • If an immediate upgrade is not feasible, deactivate or uninstall the Bold Page Builder plugin until the fix is available.
  • Apply WordPress core and theme updates, and consider installing a security plugin that sanitizes or blocks malicious input to mitigate XSS while awaiting the official patch.

Generated by OpenCVE AI on May 1, 2026 at 08:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-13834 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in boldthemes Bold Page Builder allows DOM-Based XSS. This issue affects Bold Page Builder: from n/a through 5.3.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in boldthemes Bold Page Builder allows DOM-Based XSS. This issue affects Bold Page Builder: from n/a through 5.3.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in boldthemes Bold Page Builder bold-page-builder allows DOM-Based XSS.This issue affects Bold Page Builder: from n/a through <= 5.3.2.
Title WordPress Bold Page Builder <= 5.3.2 - Cross Site Scripting (XSS) Vulnerability WordPress Bold Page Builder plugin <= 5.3.2 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00039}

 epss

{'score': 0.00045}

Thu, 08 May 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 07 May 2025 14:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in boldthemes Bold Page Builder allows DOM-Based XSS. This issue affects Bold Page Builder: from n/a through 5.3.2.
Title WordPress Bold Page Builder <= 5.3.2 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:42.732Z

Reserved: 2025-05-07T09:39:15.824Z

Link: CVE-2025-47488

cve-icon Vulnrichment

Updated: 2025-05-08T16:17:31.626Z

cve-icon NVD

Status : Deferred

Published: 2025-05-07T15:16:03.057

Modified: 2026-04-23T15:30:19.130

Link: CVE-2025-47488

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T09:00:12Z

Weaknesses