Bold Page Builder WordPress Plugin Security Vulnerabilities | WPScan

34

March 26, 2026

50000

Published

2026-02-06

Title

Bold Page Builder <= 5.4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Fixed in

No known fix

CVSS

6.4 (medium)

Published

2026-02-06

Title

Bold Page Builder <= 5.5.3 - Authenticated (Author+) Stored DOM-based Cross-Site Scripting in Post Grid

Fixed in

No known fix

CVSS

6.4 (medium)

Published

2026-02-06

Title

Bold Builder <= 5.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via bt_bb_tabs Shortcode

Fixed in

No known fix

CVSS

6.4 (medium)

Published

2026-02-06

Title

Bold Page Builder <= 5.5.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via bt_bb_accordion_item Shortcode

Fixed in

No known fix

CVSS

6.4 (medium)

Published

2026-01-20

Title

Bold Page Builder <= 5.6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Fixed in

No known fix

CVSS

6.4 (medium)

Published

2025-11-27

Title

Bold Page Builder < 5.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Fixed in

Fixed in 5.5.3

CVSS

6.4 (medium)

Published

2025-10-23

Title

Bold Page Builder < 5.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via `percentage` Parameter

Fixed in

Fixed in 5.4.6

CVSS

6.4 (medium)

Published

2025-08-27

Title

Bold Page Builder < 5.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Fixed in

Fixed in 5.4.4

CVSS

6.4 (medium)

Published

2025-07-16

Title

Bold Page Builder < 5.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Fixed in

Fixed in 5.4.2

CVSS

6.4 (medium)

Published

2025-07-02

Title

Magnific Popups JavaScript Library < 1.2.0 - Contributor+ Stored XSS

Fixed in

Fixed in 5.1.3

CVSS

5.9 (medium)

Published

2025-05-28

Title

Bold Builder < 5.3.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via additional_settings Parameter

Fixed in

Fixed in 5.3.7

CVSS

6.4 (medium)

Published

2025-05-17

Title

Bold Page Builder < 5.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'data-text' Parameter

Fixed in

Fixed in 5.3.6

CVSS

6.4 (medium)

Published

2025-05-07

Title

Bold Page Builder < 5.3.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

Fixed in

Fixed in 5.3.1

CVSS

4.4 (medium)

Published

2025-05-07

Title

Bold Page Builder < 5.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Fixed in

Fixed in 5.3.3

CVSS

6.4 (medium)

Published

2024-12-11

Title

Bold Page Builder < 5.1.6 - Authenticated (Editor+) Path Traversal

Fixed in

Fixed in 5.1.6

CVSS

2.7 (low)

Published

2024-12-02

Title

Bold Page Builder < 5.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Fixed in

Fixed in 5.2.2

CVSS

6.4 (medium)

Published

2024-10-24

Title

Bold Page Builder < 5.1.4 - Missing Authorization

Fixed in

Fixed in 5.1.4

CVSS

4.3 (medium)

Published

2024-09-30

Title

Bold Page Builder < 5.1.1- - Authenticated (Contributor+) Stored Cross-Site Scripting

Fixed in

Fixed in 5.1.1

CVSS

6.4 (medium)

Published

2024-09-24

Title

Bold Page Builder < 5.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Fixed in

Fixed in 5.1.2

CVSS

6.4 (medium)

Published

2024-07-29

Title

Bold Page Builder < 5.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via bt_bb_button Shortcode

Fixed in

Fixed in 5.0.3

CVSS

6.4 (medium)

Published

2024-04-09

Title

Bold Page Builder < 4.8.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Separator Element

Fixed in

Fixed in 4.8.9

CVSS

5.4 (medium)

Published

2024-04-09

Title

Bold Page Builder < 4.8.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via "Price List" Element

Fixed in

Fixed in 4.8.9

CVSS

6.4 (medium)

Published

2024-04-09

Title

Bold Page Builder < 4.8.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via AI Features

Fixed in

Fixed in 4.8.9

CVSS

6.4 (medium)

Published

2024-04-09

Title

Bold Page Builder < 4.8.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via HTML Tags

Fixed in

Fixed in 4.8.9

CVSS

6.4 (medium)

Published

2024-04-05

Title

Bold Page Builder < 4.8.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Widget URL Attribute

Fixed in

Fixed in 4.8.9

CVSS

6.4 (medium)

Published

2024-04-05

Title

Bold Page Builder < 4.8.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via bt_bb_price_list Shortcode

Fixed in

Fixed in 4.8.9

CVSS

6.4 (medium)

Published

2024-03-25

Title

Bold Page Builder < 4.7.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via class

Fixed in

Fixed in 4.7.7

CVSS

6.4 (medium)

Published

2024-02-12

Title

Bold Page Builder < 4.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button URL

Fixed in

Fixed in 4.8.1

CVSS

5.4 (medium)

Published

2024-02-12

Title

Bold Page Builder < 4.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Icon Link

Fixed in

Fixed in 4.8.1

CVSS

5.4 (medium)

Published

2024-02-12

Title

Bold Page Builder < 4.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Raw Content

Fixed in

Fixed in 4.8.1

CVSS

6.4 (medium)

Published

2023-12-05

Title

Bold Page Builder < 4.7.0 - Contributor+ Stored XSS

Fixed in

Fixed in 4.7.0

CVSS

5.9 (medium)

Published

2022-06-20

Title

Bold Page Builder < 4.3.3 - Admin+ Stored Cross-Site Scripting

Fixed in

Fixed in 4.3.3

CVSS

4.8 (medium)

Published

2021-08-02

Title

Bold Page Builder < 3.1.6 - PHP Object Injection

Fixed in

Fixed in 3.1.6

CVSS

5.6 (medium)

Published

2019-08-23

Title

Bold Page Builder < 2.3.2 - Missing Access Controls

Fixed in

Fixed in 2.3.2

CVSS

7.5 (high)