Skip to content

[GHSA-563x-8ppc-xc7c] The Bold Page Builder plugin for WordPress is vulnerable... #6803

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
saivarun3407 wants to merge 1 commit into
base: saivarun3407/advisory-improvement-6803
Choose a base branch
from
+24 −3
Open

[GHSA-563x-8ppc-xc7c] The Bold Page Builder plugin for WordPress is vulnerable... #6803

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 24 additions & 3 deletions advisories/unreviewed/2026/02/GHSA-563x-8ppc-xc7c/GHSA-563x-8ppc-xc7c.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,19 +1,40 @@
{
"schema_version": "1.4.0",
"id": "GHSA-563x-8ppc-xc7c",
"modified": "2026-02-07T06:31:05Z",
"modified": "2026-02-07T06:31:11Z",
"published": "2026-02-07T06:31:05Z",
"aliases": [
"CVE-2025-12803"
],
"details": "The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin 'bt_bb_tabs' shortcode in all versions up to, and including, 5.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
"summary": "Vulnerability in Bold Page Builder WordPress Plugin (CVE-2025-12803)",
"details": "# Vulnerability in Bold Page Builder WordPress Plugin (CVE-2025-12803)\n\nBold Page Builder <= 5.5.1 is vulnerable to Authenticated (Contributor+) Stored Cross-Site Scripting (XSS) via the bt_bb_tabs shortcode. This allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages, which execute when users access the injected page.\n\n## Details\n\nThe vulnerability occurs due to insufficient input sanitization and output escaping on user-supplied attributes in the bt_bb_tabs shortcode. Attackers can embed malicious JavaScript in attributes like tab titles, leading to stored XSS.\n\n- **Vulnerability Type**: CWE-79 (Improper Neutralization of Input During Web Page Generation - XSS)\n- **Root Cause**: Lack of proper escaping for attributes in the bt_bb_tabs shortcode rendering.\n- **Execution Flow**:\n 1. An authenticated user (Contributor+) creates or edits a post/page.\n 2. They insert the bt_bb_tabs shortcode with a malicious attribute (e.g., title containing XSS payload).\n 3. The post is published or saved.\n 4. When the page is viewed by any user (including admins), the script executes in their browser context.\n\n## Proof of Concept (PoC)\n\nTo reproduce:\n\n1. Log in as a Contributor or higher.\n2. Create a new post and switch to the Bold Page Builder editor.\n3. Insert a Tabs element (bt_bb_tabs shortcode).\n4. In the tab settings, set a title to: `\"><script>alert('XSS')</script>`\n5. Save and publish the post.\n6. View the post in a browser—the alert will trigger, confirming XSS.\n\n**Example Shortcode:**\n[bt_bb_tabs][bt_bb_tab title=\"\"><script>alert('XSS')</script>\"]Content[/bt_bb_tab][/bt_bb_tabs]\n\n\n## Impact\n\n- **Confidentiality/Integrity**: Medium. Injected scripts can steal session cookies, perform actions on behalf of users, or deface content.\n- **Availability**: Low. No direct denial of service, but could lead to further exploitation.\n- **Security Risk**: Requires authentication, but Contributor access is often granted. Can target higher-privileged users viewing the page.\n\n## Affected Components\n\n- **Plugin**: Bold Page Builder (WordPress)\n- **Versions**: <= 5.5.1\n- **Component**: bt_bb_tabs shortcode handling\n\n## Fix Method\n\nTo remediate this vulnerability:\n\n- **Update Plugin**: Upgrade to Bold Page Builder version 5.5.2 or later, which includes fixes for attribute sanitization.\n- **Input Sanitization**: Ensure all shortcode attributes are properly escaped using functions like esc_attr() in PHP.\n- **Content Security Policy (CSP)**: Implement a strict CSP to mitigate XSS impacts.\n\n## References\n\n- Wordfence Threat Intel: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/bold-page-builder/bold-builder-551-authenticated-contributor-stored-cross-site-scripting-via-bt-bb-tabs-shortcode\n- CVE Record: https://www.cve.org/CVERecord?id=CVE-2025-12803\n- NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12803",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"
}
],
"affected": [],
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "Bold-page-Builder"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"last_affected": "5.5.1"
}
]
}
]
}
],
"references": [
{
"type": "ADVISORY",
Expand Down