WordPress Plugin Vulnerabilities

Bold Page Builder < 5.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 5.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
bold-page-builder
Fixed in 5.4.4

References

CVE
CVE-2025-58194
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/6de4c2bb-a9dd-4de5-89ef-0ed8fde2514c

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Muhammad Yudha - DJ
Verified
No
WPVDB ID
ddd1e442-66b7-4420-9fa7-31fd65811da6

Timeline

Publicly Published
2025-08-27 (about 8 months ago)
Added
2025-09-03 (about 8 months ago)
Last Updated
2025-09-03 (about 8 months ago)

Other

Published
Title
Published
2021-09-20
Title
One User Avatar < 2.3.7 - Contributor+ Stored Cross-Site Scripting
Published
2024-12-17
Title
Contests by Rewards Fuel < 2.0.66 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-10-24
Title
Maileon < 2.16.1 - Admin+ Stored XSS
Published
2023-03-29
Title
Weaver Xtreme Theme Support < 6.2.7 - Contributor+ Stored XSS
Published
2025-02-18
Title
Lexicata <= 1.0.16 - Reflected Cross-Site Scripting