Does Bold Page Builder have any unpatched vulnerabilities?

Yes — Bold Page Builder currently has 5 unpatched vulnerabilities. We recommend switching to an alternative or applying any available workarounds.

Is Bold Page Builder compatible with WordPress 6.9.4?

According to WordPress.org data, Bold Page Builder 5.6.9 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is Bold Page Builder updated?

Bold Page Builder was last updated on Mar 10, 2026. Frequent updates are generally a positive security signal.

What is Bold Page Builder's security score?

Bold Page Builder has a WP-Safety security score of 31/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Bold Page Builder Security & Risk Analysis

wordpress.org/plugins/bold-page-builder

Free Page Builder and Visual Composer - Build stunning responsive post and page layouts with easy to use drag and drop builder - no coding required.

50K active installs v5.6.9 PHP + WP 5.0+ Updated Mar 10, 2026

drag-and-dropeditorpage-buildersite-builderwordpress-page-builder

D · High Risk

CVEs total33

Unpatched5

Last CVEFeb 6, 2026

Download

Safety Verdict

Is Bold Page Builder Safe to Use in 2026?

High Risk

Score 31/100

Bold Page Builder carries significant security risk with 33 known CVEs, 5 still unpatched. Consider switching to a maintained alternative.

33 known CVEs 5 unpatched Last CVE: Feb 6, 2026Updated 24d ago

Risk Assessment

The 'bold-page-builder' v5.6.9 plugin presents a mixed security posture. On the positive side, it shows good practices with 100% of SQL queries using prepared statements and a high percentage (85%) of properly escaped output. The absence of critical or high severity taint flows is also a strong indicator of secure coding in those areas. However, significant concerns arise from the substantial vulnerability history, with 33 known CVEs, including 5 currently unpatched. The prevalence of common vulnerability types like XSS, Path Traversal, Missing Authorization, and Deserialization of Untrusted Data suggests recurring security weaknesses that have not been fully addressed.

The static analysis reveals an attack surface of 15 entry points, with 4 AJAX handlers lacking authentication checks. This is a direct pathway for unauthorized actions if exploited. The presence of the `unserialize` function, a known dangerous function often associated with deserialization vulnerabilities, is another critical flag, especially given the plugin's history with such issues. While taint analysis shows no critical or high unsanitized flows, the combination of the dangerous function and a history of deserialization vulnerabilities warrants extreme caution. The 5 unpatched CVEs, particularly those with medium severity, indicate that existing vulnerabilities are still exploitable, further increasing the risk.

In conclusion, while the plugin demonstrates some secure coding practices in specific areas, the extensive and recurring vulnerability history, coupled with the presence of unprotected AJAX handlers and a dangerous function, points to a high-risk plugin. The 5 unpatched CVEs are the most immediate and concerning threat, demanding prompt attention. Users should consider this plugin high-risk until all known vulnerabilities are patched and a thorough audit of the identified weaknesses (unprotected AJAX, unserialize usage) is conducted.

Key Concerns

Unpatched CVEs
AJAX handlers without auth checks
Dangerous function (unserialize) used

Vulnerabilities

Bold Page Builder Security Vulnerabilities

CVEs by Year

1 CVE in 2019

2019

1 CVE in 2021

2021

1 CVE in 2022

2022

1 CVE in 2023

2023

16 CVEs in 2024

2024

8 CVEs in 2025

2025

5 CVEs in 2026 · unpatched

2026

Patched Has unpatched

Severity Breakdown

High

Medium

Low

33 total CVEs

CVE-2025-12159medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Bold Page Builder <= 5.4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Feb 6, 2026Unpatched

CVE-2025-13463medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Bold Page Builder <= 5.5.3 - Authenticated (Author+) Stored DOM-based Cross-Site Scripting in Post Grid

Feb 6, 2026Unpatched

CVE-2025-12803medium · 6.4Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

Bold Builder <= 5.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via bt_bb_tabs Shortcode

Feb 6, 2026Unpatched

CVE-2025-15267medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Bold Page Builder <= 5.5.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via bt_bb_accordion_item Shortcode

Feb 6, 2026Unpatched

CVE-2026-25451medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Bold Page Builder <= 5.6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jan 20, 2026Unpatched

CVE-2025-66057medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Bold Page Builder <= 5.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Nov 27, 2025 Patched in 5.5.3 (5d)

CVE-2025-7730medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Bold Page Builder <= 5.4.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via `percentage` Parameter

Oct 23, 2025 Patched in 5.4.6 (1d)

CVE-2025-58194medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Bold Page Builder <= 5.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Aug 27, 2025 Patched in 5.4.4 (8d)

CVE-2025-54006medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Bold Page Builder <= 5.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jul 16, 2025 Patched in 5.4.2 (6d)

CVE-2025-5286medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Bold Builder <= 5.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via additional_settings Parameter

May 28, 2025 Patched in 5.3.7 (1d)

CVE-2025-3715medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Bold Page Builder <= 5.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'data-text' Parameter

May 17, 2025 Patched in 5.3.6 (1d)

CVE-2025-47488medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Bold Page Builder <= 5.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

May 7, 2025 Patched in 5.3.3 (7d)

CVE-2025-47525medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Bold Page Builder <= 5.3.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

May 7, 2025 Patched in 5.3.1 (7d)

CVE-2024-54382low · 2.7Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Bold Page Builder <= 5.1.5 - Authenticated (Editor+) Path Traversal

Dec 11, 2024 Patched in 5.1.6 (9d)

CVE-2024-53801medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Bold Page Builder <= 5.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Dec 2, 2024 Patched in 5.2.2 (10d)

CVE-2024-50417medium · 4.3Missing Authorization

Bold Page Builder <= 5.1.3 - Missing Authorization

Oct 24, 2024 Patched in 5.1.4 (7d)

CVE-2024-47391medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Bold Page Builder <= 5.1.- - Authenticated (Contributor+) Stored Cross-Site Scripting

Sep 30, 2024 Patched in 5.1.1 (11d)

CVE-2024-47298medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Bold Page Builder <= 5.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Sep 24, 2024 Patched in 5.1.2 (9d)

CVE-2024-7100medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Bold Page Builder <= 5.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via bt_bb_button Shortcode

Jul 29, 2024 Patched in 5.0.3 (1d)

CVE-2024-2733medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Bold Page Builder <= 4.8.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Separator Element

Apr 9, 2024 Patched in 4.8.9 (1d)

CVE-2024-2734medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Bold Page Builder <= 4.8.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via AI Features

Apr 9, 2024 Patched in 4.8.9 (1d)

CVE-2024-2735medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Bold Page Builder <= 4.8.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via "Price List" Element

Apr 9, 2024 Patched in 4.8.9 (1d)

CVE-2024-2736medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Bold Page Builder <= 4.8.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via HTML Tags

Apr 9, 2024 Patched in 4.8.9 (1d)

CVE-2024-3266medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Bold Page Builder <= 4.8.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Widget URL Attribute

Apr 5, 2024 Patched in 4.8.9 (5d)

CVE-2024-3267medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Bold Page Builder <= 4.8.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via bt_bb_price_list Shortcode

Apr 5, 2024 Patched in 4.8.9 (5d)

CVE-2024-30179medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Bold Page Builder <= 4.7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via class

Mar 25, 2024 Patched in 4.7.7 (4d)

CVE-2024-1160medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Bold Page Builder <= 4.8.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Icon Link

Feb 12, 2024 Patched in 4.8.1 (52d)

CVE-2024-1157medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Bold Page Builder <= 4.8.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button URL

Feb 12, 2024 Patched in 4.8.1 (1d)

CVE-2024-1159medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Bold Page Builder <= 4.8.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Raw Content

Feb 12, 2024 Patched in 4.8.1 (1d)

CVE-2023-49823medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Bold Page Builder <= 4.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Dec 5, 2023 Patched in 4.7.0 (49d)

CVE-2022-2089medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Bold Page Builder <= 4.3.2 - Authenticated (Admin+) Stored Cross-Site Scripting

Jun 20, 2022 Patched in 4.3.3 (582d)

CVE-2021-24579high · 7.5Deserialization of Untrusted Data

Bold Page Builder <= 3.1.5 - PHP Object Injection

Aug 2, 2021 Patched in 3.1.6 (904d)

CVE-2019-15821high · 7.5Missing Authorization

Bold Page Builder <= 2.3.1 - Missing Authorization to Settings Update

Aug 23, 2019 Patched in 2.3.2 (1614d)

Code Analysis

Analyzed Mar 16, 2026

Bold Page Builder Code Analysis

Dangerous Functions

Raw SQL Queries

3 prepared

Unescaped Output

125

728 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$fonts = unserialize( 'a:1910:{i:0;a:2:{s:8:"css-name";s:7:"ABeeZee";s:9:"font-name";s:7:"ABeeZee";}content_elements_misc\google_fonts.php:2

SQL Query Safety

100% prepared3 total queries

Output Escaping

85% escaped853 total outputs

Data Flows

All sanitized

Data Flow Analysis

5 flows

bt_bb_fe_get_html (bold-builder-fe.php:772)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

4 unprotected

Bold Page Builder Attack Surface

Entry Points15

Unprotected4

AJAX Handlers 15

authwp_ajax_bt_bb_dismissed_rating_notice_handleradmin-notice-rating.php:64

authwp_ajax_bt_bb_rating_notice_enableadmin-notice-rating.php:71

authwp_ajax_bt_bb_dismissed_notice_handleradmin-notice.php:36

authwp_ajax_bt_bb_aiai\ai.php:196

authwp_ajax_bt_bb_fe_savebold-builder-fe.php:766

authwp_ajax_bt_bb_fe_get_htmlbold-builder-fe.php:800

authwp_ajax_bt_bb_fe_get_template_htmlbold-builder-fe.php:861

authwp_ajax_bt_bb_save_custom_cssbold-builder.php:644

authwp_ajax_bt_bb_get_custom_cssbold-builder.php:660

authwp_ajax_bt_bb_search_linksbold-builder.php:765

authwp_ajax_bt_bb_get_htmlbold-builder.php:786

authwp_ajax_bt_bb_get_css_gridcontent_elements\bt_bb_css_post_grid\bt_bb_css_post_grid.php:8

noprivwp_ajax_bt_bb_get_css_gridcontent_elements\bt_bb_css_post_grid\bt_bb_css_post_grid.php:9

authwp_ajax_bt_bb_get_gridcontent_elements\bt_bb_masonry_post_grid\bt_bb_masonry_post_grid.php:7

noprivwp_ajax_bt_bb_get_gridcontent_elements\bt_bb_masonry_post_grid\bt_bb_masonry_post_grid.php:8

WordPress Hooks 61

filterwp_robotsadd-section-template.php:13

filterthe_contentadd-section-template.php:63

actionwp_footeradd-section-template.php:67

actionadmin_footeradmin-notice-rating.php:18

actionadmin_footeradmin-notice.php:18

actionadmin_bar_initbold-builder-fe.php:12

actionwp_enqueue_scriptsbold-builder-fe.php:615

actionwp_headbold-builder-fe.php:616

actionwp_footerbold-builder-fe.php:617

actionwp_headbold-builder-fe.php:619

filterwp_kses_allowed_htmlbold-builder-fe.php:782

filterwp_kses_allowed_htmlbold-builder-fe.php:827

filterthe_contentbold-builder.php:34

filterbody_classbold-builder.php:124

filteruse_block_editor_for_post_typebold-builder.php:144

actionwp_headbold-builder.php:326

actionadmin_enqueue_scriptsbold-builder.php:390

filteruser_can_richeditbold-builder.php:399

actionwp_headbold-builder.php:545

actionadmin_initbold-builder.php:609

actioninitbold-builder.php:619

actionadmin_menubold-builder.php:795

actioncustomize_controls_print_scriptsbold-builder.php:934

actionadmin_footerbold-builder.php:1039

actionadmin_footerbold-builder.php:1150

actioncustomize_controls_headbold-builder.php:1151

actionadmin_headbold-builder.php:1203

actionwp_enqueue_scriptsbold-builder.php:1209

filterthe_contentbold-builder.php:1210

actionadmin_bar_initbold-builder.php:1212

actionwp_enqueue_scriptsbold-builder.php:1215

actionwp_enqueue_scriptsbold-builder.php:1218

actionplugins_loadedbold-builder.php:1237

filterbt_bb_elementsbold-builder.php:1275

filterbt_bb_elementsbold-builder.php:1283

filterthe_contentbold-builder.php:1436

filterthe_contentbold-builder.php:1440

actioncurrent_screenbold-builder.php:1443

filteruser_can_richeditbold-builder.php:1455

actionadmin_footerbold-builder.php:1457

actionadmin_footerbold-builder.php:1467

filterpreview_post_linkbold-builder.php:1472

actionadd_meta_boxesbold-builder.php:1512

filterwp_default_editorbold-builder.php:1569

actionadmin_footerbold-builder.php:1647

filterbt_bb_general_outputbold-builder.php:1771

actionadmin_bar_initbold-builder.php:1795

actionadmin_bar_initbold-builder.php:1798

filterbt_bb_extract_attsbold-builder.php:1803

actionbt_bb_general_outputbold-builder.php:2114

actionimport_endbold-builder.php:2126

actioninitbold-builder.php:2179

filterwp_get_attachment_urlbold-builder.php:2186

actioncontent_save_prebold-builder.php:2193

actionwp_footercontent_elements\bt_bb_section\bt_bb_section.php:208

actionwp_footercontent_elements_misc\misc.php:209

actionadmin_footertips.php:65

actionadmin_headwidgets\bb_text_image\init.php:16

actioncustomize_controls_headwidgets\bb_text_image\init.php:17

actionwp_footerwidgets\bb_time\init.php:30

actionwidgets_initwidgets\init.php:22

Maintenance & Trust

Bold Page Builder Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 10, 2026

PHP min version

Downloads2.7M

Community Trust

Rating72/100

Number of ratings66

Active installs50K

Alternatives

Bold Page Builder Alternatives

Page Builder by SiteOrigin

siteorigin-panels

Build responsive page layouts using the widgets you know and love using this simple drag and drop page builder.

500K 8 CVEs

Zion Builder – Website Builder for Speed & Creativity

zionbuilder

Building websites just got easier! Zion Builder is a visual website builder with powerful design features to help you build interactive websites.

1K 2 CVEs

LoftBuilder

loftbuilder

Create stunning and responsive pages with LoftBuilder. An intuitive front-end looking, drag & drop page builder.

10 No CVEs

Elementor Website Builder – More Than Just a Page Builder

elementor

The Elementor Website Builder has it all: drag and drop page builder, pixel perfect design, mobile responsive editing, and more. Get started now!

10.0M 45 CVEs

Page Builder: Pagelayer – Drag and Drop website builder

pagelayer

The most advanced frontend drag & drop page builder. Pagelayer is a light weight but extremely powerful Website Builder.

400K 25 CVEs

Developer Profile

Bold Page Builder Developer Profile

boldthemes

8 plugins · 69K total installs

trust score

Avg Security Score

84/100

Avg Patch Time

118 days

View full developer profile

Detection Fingerprints

How We Detect Bold Page Builder

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/bold-page-builder/bold-builder.min.css/wp-content/plugins/bold-page-builder/bold-builder.min.js/wp-content/plugins/bold-page-builder/editor/css/bold-builder-editor.min.css/wp-content/plugins/bold-page-builder/editor/js/bold-builder-editor.min.js/wp-content/plugins/bold-page-builder/editor/js/bold-builder-editor-vendor.min.js

Script Paths

/wp-content/plugins/bold-page-builder/bold-builder.min.js/wp-content/plugins/bold-page-builder/editor/js/bold-builder-editor-vendor.min.js/wp-content/plugins/bold-page-builder/editor/js/bold-builder-editor.min.js

Version Parameters

bold-page-builder/bold-builder.min.css?ver=bold-page-builder/bold-builder.min.js?ver=bold-page-builder/editor/css/bold-builder-editor.min.css?ver=bold-page-builder/editor/js/bold-builder-editor.min.js?ver=bold-page-builder/editor/js/bold-builder-editor-vendor.min.js?ver=

HTML / DOM Fingerprints

CSS Classes

bt_bb_wrapperbt_bb_fe_wrapbt_bb_fe_add_templatebt_bb_fe_add_template_listbt_bb_fe_preview_togglerbt_bb_fe_add_elementsbt_bb_fe_undobt_bb_fe_redo+3 more

Data Attributes

data-templates-timedata-layout-iddata-edit_url

JS Globals

BT_BB_VERSIONBT_BB_FEATURE_ADD_ELEMENTSbt_bb_mapbt_bb_arraybt_bb_fe_arraybt_bb_fe_array_depth

Shortcode Output

<div class="bt_bb_wrapper"<div class="bt_bb_fe_wrap"><div class="bt_bb_fe_add_template"><div class="bt_bb_fe_add_template_list">

FAQ

Bold Page Builder Security & Risk Analysis

Is Bold Page Builder Safe to Use in 2026?

High Risk

Key Concerns

Bold Page Builder Security Vulnerabilities

CVEs by Year

Severity Breakdown

Bold Page Builder Code Analysis

Dangerous Functions Found

SQL Query Safety

Output Escaping

Data Flow Analysis

Bold Page Builder Attack Surface

AJAX Handlers 15

Bold Page Builder Maintenance & Trust

Maintenance Signals

Community Trust

Bold Page Builder Alternatives

Page Builder by SiteOrigin

Zion Builder – Website Builder for Speed & Creativity

LoftBuilder

Elementor Website Builder – More Than Just a Page Builder

Page Builder: Pagelayer – Drag and Drop website builder

Bold Page Builder Developer Profile

How We Detect Bold Page Builder

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about Bold Page Builder