WordPress Plugin Vulnerabilities

Bold Page Builder < 4.7.0 - Contributor+ Stored XSS

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Affects Plugins

Plugin icon
bold-page-builder
Fixed in 4.7.0

References

CVE
CVE-2023-49823
URL
https://patchstack.com/database/vulnerability/bold-page-builder/wordpress-bold-page-builder-plugin-4-6-1-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
Ngô Thiên An (ancorn_)
Verified
No
WPVDB ID
e86bc5ed-a8c4-4b64-ae79-c43a2e1a692c

Timeline

Publicly Published
2023-12-05 (about 2 years ago)
Added
2023-12-12 (about 2 years ago)
Last Updated
2023-12-12 (about 2 years ago)

Other

Published
Title
Published
2025-01-06
Title
Product Table for WooCommerce < 5.0.0 - Reflected XSS
Published
2022-02-02
Title
Advanced iFrame < 2022 - Reflected Cross-Site Scripting
Published
2026-03-23
Title
Boutique < 2.4.6 - Reflected Cross-Site Scripting
Published
2025-06-26
Title
WP Wall <= 1.7.3 - Reflected Cross-Site Scripting
Published
2024-11-08
Title
Fast Video and Image Display <= 2.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting