WordPress Plugin Vulnerabilities

Post and Page Builder by BoldGrid < 1.27.6 - Contributor+ Stored XSS

Description

The plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
post-and-page-builder
Fixed in 1.27.6

References

CVE
CVE-2025-22759
URL
https://patchstack.com/database/wordpress/plugin/post-and-page-builder/vulnerability/wordpress-post-and-page-builder-by-boldgrid-visual-drag-and-drop-editor-plugin-1-27-4-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
João Pedro Soares de Alcântara
Verified
No
WPVDB ID
357890dc-1343-4d0c-bb1c-cfa0e89e4a9c

Timeline

Publicly Published
2025-01-14 (about 1 year ago)
Added
2025-01-22 (about 1 year ago)
Last Updated
2025-02-04 (about 1 year ago)

Other

Published
Title
Published
2024-07-16
Title
WordPress File Upload < 4.24.8 - Reflected XSS
Published
2026-01-13
Title
JNews - Video <= 11.0.2 - Reflected Cross-Site Scripting
Published
2023-10-16
Title
WP Discord Invite < 2.5.2 - Admin+ Stored Cross Site Scripting
Published
2024-04-25
Title
XStore < 9.3.9 - Reflected Cross-Site Scripting
Published
2025-12-20
Title
WC Builder < 1.2.1 - Authenticated (Shop Manager+) Stored Cross-Site Scripting via 'heading_color' Shortcode Attribute