WordPress Plugin Vulnerabilities

Bold Page Builder < 5.7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 5.6.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
bold-page-builder
Fixed in 5.7.0

References

CVE
CVE-2026-25451
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/61d23b9f-7e84-4a24-acaf-e96a87e1ea7f

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.5 (Medium)

Miscellaneous

Original Researcher
theviper17
Verified
No
WPVDB ID
23aa59ed-91e2-4c03-96c9-09faa09b3563

Timeline

Publicly Published
2026-01-20 (about 4 months ago)
Added
2026-02-26 (about 2 months ago)
Last Updated
2026-04-15 (about 1 month ago)

Other

Published
Title
Published
2025-01-16
Title
Yet Another Countdown <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-09-02
Title
Vayu Blocks < 1.3.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Block Attributes
Published
2024-02-12
Title
Livemesh Addons for Elementor < 8.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via animated_text_class
Published
2025-08-19
Title
SensorPress <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2026-01-06
Title
PhotoFade <= 0.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes