WP-Safety

Post and Page Builder by BoldGrid – Visual Drag and Drop Editor Security & Risk Analysis

wordpress.org/plugins/post-and-page-builder

Post and Page Builder is a standalone plugin which adds functionality to the existing TinyMCE Editor.

60K active installs v1.27.10 PHP 5.4+ WP 4.7+ Updated Dec 19, 2025
boldgriddrag-and-dropeditorpage-buildertinymce
95
A · Safe
CVEs total10
Unpatched0
Last CVEJan 5, 2026
Plugin page Download
Safety Verdict

Is Post and Page Builder by BoldGrid – Visual Drag and Drop Editor Safe to Use in 2026?

Generally Safe

Score 95/100

Post and Page Builder by BoldGrid – Visual Drag and Drop Editor has a strong security track record. Known vulnerabilities have been patched promptly.

10 known CVEsLast CVE: Jan 5, 2026Updated 3mo ago
Risk Assessment

The "post-and-page-builder" plugin v1.27.10 presents a mixed security posture. While the plugin demonstrates good practices in handling SQL queries and includes a reasonable number of nonce and capability checks, significant concerns arise from its large attack surface exposed through AJAX handlers without authentication. The presence of 11 unprotected AJAX entry points is a critical weakness, as it allows unauthenticated users to potentially interact with sensitive plugin functionalities.

The taint analysis, although showing no critical or high severity unsanitized flows, did identify 3 flows with unsanitized paths. Combined with the vulnerability history, which shows a concerning pattern of past vulnerabilities including Missing Authorization, CSRF, SSRF, Path Traversal, and XSS, these findings suggest a recurring need for diligent input validation and authorization checks. The plugin's history of 10 medium severity CVEs, even though none are currently unpatched, indicates a historical tendency for exploitable flaws, requiring ongoing vigilance.

In conclusion, the plugin has strengths in its database interaction and some security control implementations. However, the high number of unprotected AJAX endpoints is a major risk. The historical vulnerability patterns reinforce the need for developers to prioritize robust input sanitization and strict access control across all entry points to mitigate potential exploits.

Key Concerns

  • 11 unprotected AJAX handlers
  • 3 flows with unsanitized paths
  • 47% output escaping
  • 10 medium severity CVEs in history
  • Common vulnerability types: Missing Auth, CSRF, SSRF, Path Traversal, XSS
Vulnerabilities
10

Post and Page Builder by BoldGrid – Visual Drag and Drop Editor Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
3 CVEs in 2024
2024
5 CVEs in 2025
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

Medium
10

10 total CVEs

CVE-2025-69345medium · 4.3Missing Authorization

Post and Page Builder by BoldGrid <= 1.27.9 - Missing Authorization

Jan 5, 2026 Patched in 1.27.10 (10d)
CVE-2025-52712medium · 4.3Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Post and Page Builder by BoldGrid – Visual Drag and Drop Editor <= 1.27.8 - Authenticated (Contributor+) Path Traversal

Jul 22, 2025 Patched in 1.27.9 (7d)
CVE-2025-52711medium · 4.3Cross-Site Request Forgery (CSRF)

Post and Page Builder by BoldGrid – Visual Drag and Drop Editor <= 1.27.8 - Cross-Site Request Forgery

Jun 19, 2025 Patched in 1.27.9 (7d)
CVE-2025-52713medium · 6.4Server-Side Request Forgery (SSRF)

Post and Page Builder by BoldGrid – Visual Drag and Drop Editor <= 1.27.8 - Authenticated (Contributor+) Server-Side Request Forgery

Jun 19, 2025 Patched in 1.27.9 (7d)
CVE-2025-0859medium · 6.5Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Post and Page Builder by BoldGrid <= 1.27.6 - Path Traversal to Authenticated (Contributor+) Arbitrary File Read via template_via_url Function

Feb 5, 2025 Patched in 1.27.7 (1d)
CVE-2025-22759medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Post and Page Builder by BoldGrid – Visual Drag and Drop Editor <= 1.27.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jan 14, 2025 Patched in 1.27.6 (85d)
CVE-2024-6848medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Post and Page Builder by BoldGrid – Visual Drag and Drop Editor <= 1.26.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via File Upload

Jul 19, 2024 Patched in 1.26.7 (1d)
CVE-2024-4400medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Post and Page Builder by BoldGrid – Visual Drag and Drop Editor <= 1.26.4 - Authenticated (Contributer+) Stored Cross-Site Scripting

May 15, 2024 Patched in 1.26.5 (1d)
CVE-2024-2888medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Post and Page Builder by BoldGrid – Visual Drag and Drop Editor Plugin <= 1.26.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Mar 25, 2024 Patched in 1.26.3 (8d)
CVE-2023-25480medium · 4.3Cross-Site Request Forgery (CSRF)

Post and Page Builder by BoldGrid – Visual Drag and Drop Editor <= 1.24.1 - Cross-Site Request Forgery via submitDefaultEditor

Aug 22, 2023 Patched in 1.24.2 (154d)
Code Analysis
Analyzed Mar 16, 2026

Post and Page Builder by BoldGrid – Visual Drag and Drop Editor Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
2 prepared
Unescaped Output
124
111 escaped
Nonce Checks
6
Capability Checks
12
File Operations
0
External Requests
2
Bundled Libraries
1

Bundled Libraries

TinyMCE

SQL Query Safety

100% prepared2 total queries

Output Escaping

47% escaped235 total outputs
Data Flows
3 unsanitized

Data Flow Analysis

5 flows3 with unsanitized paths
generate_blocks (includes\class-boldgrid-editor-ajax.php:109)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
11 unprotected

Post and Page Builder by BoldGrid – Visual Drag and Drop Editor Attack Surface

Entry Points12
Unprotected11

AJAX Handlers 11

authwp_ajax_boldgrid_canvas_imageincludes\class-boldgrid-editor.php:335
authwp_ajax_boldgrid_editor_setupincludes\class-boldgrid-editor.php:336
authwp_ajax_boldgrid_editor_dismiss_onb_videosincludes\class-boldgrid-editor.php:337
authwp_ajax_boldgrid_editor_save_gridblockincludes\class-boldgrid-editor.php:338
authwp_ajax_boldgrid_redirect_urlincludes\class-boldgrid-editor.php:339
authwp_ajax_boldgrid_generate_blocksincludes\class-boldgrid-editor.php:340
authwp_ajax_boldgrid_editor_save_keyincludes\class-boldgrid-editor.php:341
authwp_ajax_boldgrid_get_saved_blocksincludes\class-boldgrid-editor.php:342
authwp_ajax_suggest_crop_cropincludes\class-boldgrid-editor.php:343
authwp_ajax_suggest_crop_get_dimensionsincludes\class-boldgrid-editor.php:344
authwp_ajax_boldgrid_draggable_enabledincludes\class-boldgrid-editor.php:347

Shortcodes 1

[boldgrid_component] components\class-boldgrid-components-shortcode.php:177
WordPress Hooks 95
actionwp_loadedcomponents\class-boldgrid-components-shortcode.php:47
actionsave_postcontrols\class-boldgrid-controls-page-title.php:48
actionload-post.phpcontrols\class-boldgrid-controls-page-title.php:49
actionload-post-new.phpcontrols\class-boldgrid-controls-page-title.php:50
actionedit_form_after_titlecontrols\class-boldgrid-controls-page-title.php:153
actionadmin_enqueue_scriptsincludes\class-boldgrid-editor-admin-pointers.php:29
filterwp_kses_allowed_htmlincludes\class-boldgrid-editor-ajax.php:59
filtersafe_style_cssincludes\class-boldgrid-editor-ajax.php:86
actionadmin_initincludes\class-boldgrid-editor-compatibility.php:51
actionadmin_noticesincludes\class-boldgrid-editor-compatibility.php:52
actionadmin_initincludes\class-boldgrid-editor-compatibility.php:55
actionadmin_noticesincludes\class-boldgrid-editor-compatibility.php:56
actionadmin_initincludes\class-boldgrid-editor-config.php:63
actionadmin_noticesincludes\class-boldgrid-editor-development.php:46
actionadmin_headincludes\class-boldgrid-editor-mce.php:73
filtermce_external_pluginsincludes\class-boldgrid-editor-mce.php:96
filtermce_buttonsincludes\class-boldgrid-editor-mce.php:101
filterwp_mce_translationincludes\class-boldgrid-editor-mce.php:108
actionsave_postincludes\class-boldgrid-editor-postmeta.php:29
actionadmin_noticesincludes\class-boldgrid-editor-premium.php:44
actionadmin_initincludes\class-boldgrid-editor-premium.php:47
filterparse_queryincludes\class-boldgrid-editor-preview.php:32
actiontemplate_redirectincludes\class-boldgrid-editor-preview.php:33
actioninitincludes\class-boldgrid-editor-preview.php:37
actiontemplate_includeincludes\class-boldgrid-editor-preview.php:38
actiontemplate_includeincludes\class-boldgrid-editor-preview.php:39
actionload-post-new.phpincludes\class-boldgrid-editor-preview.php:40
actionload-post.phpincludes\class-boldgrid-editor-preview.php:41
filterthe_contentincludes\class-boldgrid-editor-preview.php:42
filterBoldgrid\Editor\Media\Layout\exludedPostsincludes\class-boldgrid-editor-preview.php:43
actionadmin_initincludes\class-boldgrid-editor-setting.php:31
actionsave_postincludes\class-boldgrid-editor-setting.php:35
filterpage_attributes_dropdown_pages_argsincludes\class-boldgrid-editor-templater.php:50
filtertheme_page_templatesincludes\class-boldgrid-editor-templater.php:58
filterwp_insert_post_dataincludes\class-boldgrid-editor-templater.php:65
filtertemplate_includeincludes\class-boldgrid-editor-templater.php:72
actionadd_meta_boxes_pageincludes\class-boldgrid-editor-templater.php:74
actionposts_selectionincludes\class-boldgrid-editor-templater.php:75
filterbody_classincludes\class-boldgrid-editor-templater.php:277
filterwp_calculate_image_sizesincludes\class-boldgrid-editor-templater.php:278
actionboldgrid_editor_sidebarincludes\class-boldgrid-editor-widget.php:30
filterdoing_it_wrong_trigger_errorincludes\class-boldgrid-editor.php:49
actionwp_enqueue_scriptsincludes\class-boldgrid-editor.php:190
filterboldgrid_theme_framework_configincludes\class-boldgrid-editor.php:191
actionwp_headincludes\class-boldgrid-editor.php:192
actionbody_classincludes\class-boldgrid-editor.php:193
filteruse_block_editor_for_postincludes\class-boldgrid-editor.php:251
filterppb_get_onboarding_videosincludes\class-boldgrid-editor.php:282
actionadmin_footerincludes\class-boldgrid-editor.php:284
actionload-post.phpincludes\class-boldgrid-editor.php:285
actionload-post-new.phpincludes\class-boldgrid-editor.php:286
actionsave_postincludes\class-boldgrid-editor.php:288
actionsave_postincludes\class-boldgrid-editor.php:289
actionedit_form_after_titleincludes\class-boldgrid-editor.php:290
actionsave_postincludes\class-boldgrid-editor.php:291
actionsave_postincludes\class-boldgrid-editor.php:292
actionmedia_buttonsincludes\class-boldgrid-editor.php:294
actionadmin_enqueue_scriptsincludes\class-boldgrid-editor.php:295
actionshutdownincludes\class-boldgrid-editor.php:298
actionadmin_enqueue_scriptsincludes\class-boldgrid-editor.php:308
filtermce_cssincludes\class-boldgrid-editor.php:311
actionadmin_print_footer_scriptsincludes\class-boldgrid-editor.php:314
filterthe_editorincludes\class-boldgrid-editor.php:318
filtertiny_mce_before_initincludes\class-boldgrid-editor.php:332
filterBoldgrid\Library\Notifications\DashboardWidget\getFeaturePlugin\post-and-page-builderincludes\class-boldgrid-editor.php:350
filterBoldgridEditor\Configincludes\class-boldgrid-editor.php:362
filterboldgrid/display_sidebarincludes\gridblock\class-boldgrid-editor-gridblock-post.php:198
actioninitincludes\gridblock\class-boldgrid-editor-gridblock-post.php:232
actionadmin_menuincludes\gridblock\class-boldgrid-editor-gridblock-post.php:235
actiontemplate_includeincludes\gridblock\class-boldgrid-editor-gridblock-post.php:236
actiontemplate_redirectincludes\gridblock\class-boldgrid-editor-gridblock-post.php:237
filtermedia_upload_tabsincludes\media\class-boldgrid-editor-media-tab.php:111
actionadmin_enqueue_scriptsincludes\media\class-boldgrid-editor-media-tab.php:178
actionadmin_enqueue_scriptsincludes\View\Classic.php:30
actionenqueue_block_editor_assetsincludes\View\Gutenberg.php:39
filterplugin_action_links_post-and-page-builder/post-and-page-builder.phpincludes\View\Plugins.php:30
actionadmin_menuincludes\View\Settings.php:30
actionadmin_initincludes\View\Settings.php:31
actionadmin_initincludes\View\Settings.php:32
actionbgppb_form_default_editorincludes\View\Settings.php:33
filteradmin_body_classincludes\View\Settings.php:76
actionadmin_enqueue_scriptsincludes\View\Settings.php:88
actionactivate_boldgrid-editor/boldgrid-editor.phppost-and-page-builder.php:80
actionupgrader_process_completepost-and-page-builder.php:115
filterboldgrid_theme_framework_configpost-and-page-builder.php:119
actioninitpost-and-page-builder.php:123
actionsetup_themepost-and-page-builder.php:125
filterboldgrid/display_sidebarsupport\bgtfw\class-boldgrid-editor-bgtfw-template.php:30
actionadmin_enqueue_scriptssupport\wpforms\includes\class-boldgrid-editor-wpforms-media.php:103
actionadmin_enqueue_scriptssupport\wpforms\includes\class-boldgrid-editor-wpforms-media.php:108
actionadmin_initsupport\wpforms\includes\class-boldgrid-editor-wpforms.php:114
actionprint_media_templatessupport\wpforms\includes\class-boldgrid-editor-wpforms.php:155
filterwpforms_display_media_buttonsupport\wpforms\includes\class-boldgrid-editor-wpforms.php:156
actionadmin_enqueue_scriptssupport\wpforms\includes\class-boldgrid-editor-wpforms.php:159
filtermce_csssupport\wpforms\includes\class-boldgrid-editor-wpforms.php:160
Maintenance & Trust

Post and Page Builder by BoldGrid – Visual Drag and Drop Editor Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 19, 2025
PHP min version5.4
Downloads1.7M

Community Trust

Rating94/100
Number of ratings140
Active installs60K
Alternatives

Post and Page Builder by BoldGrid – Visual Drag and Drop Editor Alternatives

Elementor Website Builder – More Than Just a Page Builder

Elementor Website Builder – More Than Just a Page Builder

elementor

A
88

The Elementor Website Builder has it all: drag and drop page builder, pixel perfect design, mobile responsive editing, and more. Get started now!

10.0M 45 CVEs
Page Builder by SiteOrigin

Page Builder by SiteOrigin

siteorigin-panels

A
88

Build responsive page layouts using the widgets you know and love using this simple drag and drop page builder.

500K 8 CVEs
Page Builder: Pagelayer – Drag and Drop website builder

Page Builder: Pagelayer – Drag and Drop website builder

pagelayer

A
88

The most advanced frontend drag & drop page builder. Pagelayer is a light weight but extremely powerful Website Builder.

400K 25 CVEs
Beaver Builder Page Builder – Drag and Drop Website Builder

Beaver Builder Page Builder – Drag and Drop Website Builder

beaver-builder-lite-version

A
89

The Professional's Choice for Drag & Drop WordPress Page Building. Fast, Reliable, and Trusted since 2014.

100K 31 CVEs
Colibri Page Builder

Colibri Page Builder

colibri-page-builder

A
92

Colibri Page Builder adds drag and drop page builder functionality to the ColibriWP theme.

90K 18 CVEs
Developer Profile

Post and Page Builder by BoldGrid – Visual Drag and Drop Editor Developer Profile

BoldGrid

15 plugins · 1.1M total installs

76
trust score
Avg Security Score
96/100
Avg Patch Time
841 days
View full developer profile
Detection Fingerprints

How We Detect Post and Page Builder by BoldGrid – Visual Drag and Drop Editor

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/post-and-page-builder/dist/js/boldgrid-editor-frontend.js/wp-content/plugins/post-and-page-builder/dist/css/boldgrid-editor-frontend.css/wp-content/plugins/post-and-page-builder/dist/js/boldgrid-editor-backend.js/wp-content/plugins/post-and-page-builder/dist/css/boldgrid-editor-backend.css
Script Paths
/wp-content/plugins/post-and-page-builder/vendor/autoload.php
Version Parameters
post-and-page-builder/dist/js/boldgrid-editor-frontend.js?ver=post-and-page-builder/dist/css/boldgrid-editor-frontend.css?ver=post-and-page-builder/dist/js/boldgrid-editor-backend.js?ver=post-and-page-builder/dist/css/boldgrid-editor-backend.css?ver=

HTML / DOM Fingerprints

CSS Classes
boldgrid-editor-wrapperbg-font-family-altbg-font-family-bodybg-font-family-headingbg-font-family-menu
HTML Comments
<!-- BoldGrid Editor Content --><!-- Content --><!-- Page and Post Builder Content --><!-- End Page and Post Builder Content -->+4 more
Data Attributes
data-boldgrid-editor
JS Globals
window.BoldgridEditor
FAQ

Frequently Asked Questions about Post and Page Builder by BoldGrid – Visual Drag and Drop Editor