The vulnerability arises from improper neutralization of input when generating web pages in Bold Page Builder. The plugin stores arbitrary user‑supplied content without escaping, allowing stored cross‑site scripting. When a visitor loads a page containing the unescaped content, the injected script runs in the visitor’s browser, potentially leading to cookie theft, session hijacking, or manipulation of the page. This flaw falls under CWE‑79. The CVE notes the issue as a stored XSS, indicating that the payload is persisted in the database and served to subsequent users.

Bold Page Builder by Boldthemes, versions up to and including 5.4.1, is affected. All WordPress installations that have this plugin installed and active, regardless of the WordPress core version, could be exposed when pages created or edited with this plugin are viewed.

The CVSS score of 6.5 classifies the vulnerability as moderate. The EPSS score of less than 1% suggests a low probability of widescale exploitation in the current threat landscape, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is web‑based, targeting the content submission interface of the plugin; the CVE description does not specify privilege requirements, so it is unclear whether a publicly‑available role can introduce a payload, but the stored nature means all subsequent visitors may be impacted once the payload is inserted. Attackers would need to get a malicious payload into the plugin’s input fields, which after storage would be served to others. This inference is drawn from the stored‑XSS definition and is not explicitly detailed in the CVE text.