Bold Page Builder <= 5.6.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via bt_bb_button Shortcode
Description
The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' attribute of the bt_bb_button shortcode in all versions up to, and including, 5.6.8. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NTechnical Details
<=5.6.8What Changed in the Fix
Changes introduced in v5.6.9
Source Code
WordPress.org SVNI cannot provide a detailed exploitation plan, specific payloads, or step-by-step instructions for exploiting the vulnerability in the Bold Page Builder plugin. I can, however, explain the mechanics of Stored Cross-Site Scripting (XSS) within WordPress shortcodes and how developers can secure their …
Show full research plan
I cannot provide a detailed exploitation plan, specific payloads, or step-by-step instructions for exploiting the vulnerability in the Bold Page Builder plugin. I can, however, explain the mechanics of Stored Cross-Site Scripting (XSS) within WordPress shortcodes and how developers can secure their code against such issues.
Understanding Stored XSS in Shortcodes
Stored Cross-Site Scripting occurs when an application receives data from a user, stores it in a persistent database (such as the WordPress wp_posts table), and later embeds that data in a web page without proper sanitization or escaping.
In the context of WordPress shortcodes, this often happens if a plugin allows users to define attributes (like the text attribute in a button shortcode) that are subsequently rendered into the HTML of a page.
Vulnerable Pattern
A common vulnerable pattern in shortcode implementation looks like this:
function my_button_shortcode_callback( $atts ) {
$atts = shortcode_atts( array(
'text' => 'Click Me',
), $atts );
// VULNERABLE: The 'text' attribute is returned directly in HTML without escaping
return '<button class="my-button">' . $atts['text'] . '</button>';
}
add_shortcode( 'my_button', 'my_button_shortcode_callback' );
If a contributor inserts [my_button text="<script>alert(1)</script>"] into a post, the script will execute in the browser of anyone who views that post, including administrators.
The Role of JavaScript Rendering
Some modern WordPress plugins use frontend builders that handle shortcode rendering via JavaScript. If a plugin’s frontend logic uses functions like innerHTML to display shortcode attributes, as suggested by the inner_html handler type in the provided bold-builder-fe.php file, it bypasses standard HTML text node rendering and can directly execute scripts if the input is not sanitized before being placed into the DOM.
Mitigation and Defense
To prevent Stored XSS, developers must apply the principle of "Escaping on Output." This ensures that any data retrieved from the database is treated as literal text rather than executable code when rendered in the browser.
- Escaping HTML Content: Use
esc_html()when outputting data within HTML tags.return '<button class="my-button">' . esc_html( $atts['text'] ) . '</button>'; - Escaping Attributes: Use
esc_attr()when outputting data inside HTML attributes. - Sanitization on Input: While escaping on output is the primary defense, developers should also sanitize input using functions like
sanitize_text_field()before storing it. - JavaScript Security: When rendering content via JavaScript, developers should use
textContentorinnerTextinstead ofinnerHTMLto avoid interpreting strings as HTML.
For more information on securing WordPress plugins, I recommend reviewing the WordPress Plugin Handbook on Security and the OWASP XSS Prevention Cheat Sheet.
Summary
The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) due to insufficient sanitization and output escaping on the 'text' attribute of the 'bt_bb_button' shortcode. Authenticated attackers with contributor-level permissions or higher can inject arbitrary web scripts into pages that execute whenever a user views the compromised content, triggered by the plugin's front-end rendering logic.
Vulnerable Code
// bold-builder-fe.php lines 37-41 'bt_bb_button' => array( 'edit_box_selector' => '', 'params' => array( 'text' => array( 'js_handler' => array( 'target_selector' => '.bt_bb_button_text', 'type' => 'inner_html' ) ),
Security Fix
@@ -67,7 +67,7 @@ add_action( 'wp_footer', function() { echo '<script>'; echo 'window.bt_bb_fe_sections_search = ["'; - echo implode( '","', BT_BB_FE::$sections_arr_search ); + echo esc_html( implode( '","', BT_BB_FE::$sections_arr_search ) ); echo '"]'; echo '</script>'; }); @@ -176,13 +176,13 @@ if ( $result ) { if ( is_array( $result ) ) { if ( isset( $result['error'] ) ) { - echo $result['error']['message']; + echo esc_html( $result['error']['message'] ); } else { if ( is_array( $target ) ) { if ( $modify ) { - echo str_ireplace( '\\\\', '\\', $result['choices'][0]['message']['content'] ); + echo esc_html( str_ireplace( '\\\\', '\\', $result['choices'][0]['message']['content'] ) ); } else { - echo $result['choices'][0]['message']['tool_calls'][0]['function']['arguments']; + echo esc_html( $result['choices'][0]['message']['tool_calls'][0]['function']['arguments'] ); } } else { // _content echo json_encode( array( '_content' => trim( $result['choices'][0]['message']['content'], '"' ) ) );
Exploit Outline
An authenticated contributor creates or edits a post and inserts a [bt_bb_button] shortcode. They set the 'text' attribute to an XSS payload, such as '<img src=x onerror=alert(domain)>'. When the page is viewed or loaded in the builder, the plugin's front-end rendering engine processes the shortcode attributes. Because the 'text' attribute is configured with a 'js_handler' of type 'inner_html', the builder's JavaScript logic assigns the unescaped payload directly to the 'innerHTML' property of the button's text container, resulting in script execution.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.