Description
The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘additional_settings’ parameter in all versions up to, and including, 5.3.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-05-29
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authenticated Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The Bold Page Builder WordPress plugin has a stored XSS vulnerability caused by the additional_settings parameter. When an authenticated user with contributor‑level access or higher submits content to this parameter, the plugin stores the data without sanitizing or escaping it. Later, when the page is rendered, the script runs in the browser of any visitor, allowing the attacker to deface the site, steal session cookies, or hijack user accounts. The weakness is classified as CWE‑79.

Affected Systems

All WordPress installations that use Bold Page Builder version 5.3.6 or older are affected. Versions beyond 5.3.6 contain a fix that sanitizes the additional_settings field. The issue is present in every release up to and including 5.3.6, regardless of other plugin or theme versions.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity, and the EPSS score of less than 1% suggests that widespread exploitation is currently unlikely. The vulnerability is not listed in CISA KEV. Successful exploitation requires the attacker to be authenticated with contributor‑level privileges and to have permission to edit plugin content. Because the stored malicious code is served to all page visitors, the impact can affect the confidentiality, integrity, and availability of the affected WordPress site.

Generated by OpenCVE AI on April 22, 2026 at 04:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Bold Page Builder to version 5.3.7 or later to remove the stored XSS flaw.
  • Remove or overwrite any content containing the malicious additional_settings payload to eliminate the risk from already compromised pages.
  • Restrict contributor or lower‑level permissions, or require administrator privileges for editing plugin settings, so only trusted users can modify content that may contain XSS vectors.

Generated by OpenCVE AI on April 22, 2026 at 04:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-16367 The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘additional_settings’ parameter in all versions up to, and including, 5.3.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Thu, 29 May 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 29 May 2025 08:30:00 +0000

Type Values Removed Values Added
Description The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘additional_settings’ parameter in all versions up to, and including, 5.3.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Bold Builder <= 5.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via additional_settings Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:11:09.174Z

Reserved: 2025-05-27T19:08:59.083Z

Link: CVE-2025-5286

cve-icon Vulnrichment

Updated: 2025-05-29T14:04:10.381Z

cve-icon NVD

Status : Deferred

Published: 2025-05-29T09:15:28.147

Modified: 2026-06-17T09:47:37.073

Link: CVE-2025-5286

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T04:15:07Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')