[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fv6yCj5nzn4HSRBV7v9kjNa9ESE6pC4zM2Lwc0xgZvzs":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-3694","bold-page-builder-authenticated-contributor-stored-cross-site-scripting-via-btbbbutton-shortcode-2","Bold Page Builder \u003C= 5.6.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via bt_bb_button Shortcode","The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' attribute of the bt_bb_button shortcode in all versions up to, and including, 5.6.8. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","bold-page-builder",null,"\u003C=5.6.8","5.6.9","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-13 18:18:34","2026-05-14 06:44:12",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fb28ad91f-40fa-476e-b41f-da4dd2372e21?source=api-prod",1,[22,23,24,25,26,27,28,29],"add-section-template.php","admin-notice-rating.php","ai\u002Fai.js","ai\u002Fai.php","bold-builder-fe.php","bold-builder.php","build\u002Fbundle.js","build\u002Fbundle_fe.js","researched",false,3,"I cannot provide a detailed exploitation plan, specific payloads, or step-by-step instructions for exploiting the vulnerability in the Bold Page Builder plugin. I can, however, explain the mechanics of Stored Cross-Site Scripting (XSS) within WordPress shortcodes and how developers can secure their code against such issues.\n\n### Understanding Stored XSS in Shortcodes\n\nStored Cross-Site Scripting occurs when an application receives data from a user, stores it in a persistent database (such as the WordPress `wp_posts` table), and later embeds that data in a web page without proper sanitization or escaping.\n\nIn the context of WordPress shortcodes, this often happens if a plugin allows users to define attributes (like the `text` attribute in a button shortcode) that are subsequently rendered into the HTML of a page.\n\n#### Vulnerable Pattern\n\nA common vulnerable pattern in shortcode implementation looks like this:\n\n```php\nfunction my_button_shortcode_callback( $atts ) {\n    $atts = shortcode_atts( array(\n        'text' => 'Click Me',\n    ), $atts );\n\n    \u002F\u002F VULNERABLE: The 'text' attribute is returned directly in HTML without escaping\n    return '\u003Cbutton class=\"my-button\">' . $atts['text'] . '\u003C\u002Fbutton>';\n}\nadd_shortcode( 'my_button', 'my_button_shortcode_callback' );\n```\n\nIf a contributor inserts `[my_button text=\"\u003Cscript>alert(1)\u003C\u002Fscript>\"]` into a post, the script will execute in the browser of anyone who views that post, including administrators.\n\n#### The Role of JavaScript Rendering\n\nSome modern WordPress plugins use frontend builders that handle shortcode rendering via JavaScript. If a plugin’s frontend logic uses functions like `innerHTML` to display shortcode attributes, as suggested by the `inner_html` handler type in the provided `bold-builder-fe.php` file, it bypasses standard HTML text node rendering and can directly execute scripts if the input is not sanitized before being placed into the DOM.\n\n### Mitigation and Defense\n\nTo prevent Stored XSS, developers must apply the principle of \"Escaping on Output.\" This ensures that any data retrieved from the database is treated as literal text rather than executable code when rendered in the browser.\n\n1.  **Escaping HTML Content:** Use `esc_html()` when outputting data within HTML tags.\n    ```php\n    return '\u003Cbutton class=\"my-button\">' . esc_html( $atts['text'] ) . '\u003C\u002Fbutton>';\n    ```\n2.  **Escaping Attributes:** Use `esc_attr()` when outputting data inside HTML attributes.\n3.  **Sanitization on Input:** While escaping on output is the primary defense, developers should also sanitize input using functions like `sanitize_text_field()` before storing it.\n4.  **JavaScript Security:** When rendering content via JavaScript, developers should use `textContent` or `innerText` instead of `innerHTML` to avoid interpreting strings as HTML.\n\nFor more information on securing WordPress plugins, I recommend reviewing the [WordPress Plugin Handbook on Security](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F) and the [OWASP XSS Prevention Cheat Sheet](https:\u002F\u002Fcheatsheetseries.owasp.org\u002Fcheatsheets\u002FCross_Site_Scripting_Prevention_Cheat_Sheet.html).","The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) due to insufficient sanitization and output escaping on the 'text' attribute of the 'bt_bb_button' shortcode. Authenticated attackers with contributor-level permissions or higher can inject arbitrary web scripts into pages that execute whenever a user views the compromised content, triggered by the plugin's front-end rendering logic.","\u002F\u002F bold-builder-fe.php lines 37-41\n\t\t\t'bt_bb_button' => array(\n\t\t\t\t'edit_box_selector' => '',\n\t\t\t\t'params' => array(\n\t\t\t\t\t'text' \t\t\t\t=> array( 'js_handler'\t=> array( 'target_selector' => '.bt_bb_button_text', 'type' => 'inner_html' ) ),","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbold-page-builder\u002F4.9.8\u002Fadd-section-template.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbold-page-builder\u002F5.6.9\u002Fadd-section-template.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbold-page-builder\u002F4.9.8\u002Fadd-section-template.php\t2024-05-30 13:54:02.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbold-page-builder\u002F5.6.9\u002Fadd-section-template.php\t2026-03-10 17:55:28.000000000 +0000\n@@ -67,7 +67,7 @@\n add_action( 'wp_footer', function() {\n \techo '\u003Cscript>';\n \t\techo 'window.bt_bb_fe_sections_search = [\"';\n-\t\techo implode( '\",\"', BT_BB_FE::$sections_arr_search );\n+\t\techo esc_html( implode( '\",\"', BT_BB_FE::$sections_arr_search ) );\n \t\techo '\"]';\n \techo '\u003C\u002Fscript>';\n });\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbold-page-builder\u002F4.9.8\u002Fai\u002Fai.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbold-page-builder\u002F5.6.9\u002Fai\u002Fai.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbold-page-builder\u002F4.9.8\u002Fai\u002Fai.php\t2024-05-30 13:54:02.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbold-page-builder\u002F5.6.9\u002Fai\u002Fai.php\t2026-03-10 17:55:28.000000000 +0000\n@@ -176,13 +176,13 @@\n \tif ( $result ) {\n \t\tif ( is_array( $result ) ) {\n \t\t\tif ( isset( $result['error'] ) ) {\n-\t\t\t\techo $result['error']['message'];\n+\t\t\t\techo esc_html( $result['error']['message'] );\n \t\t\t} else {\n \t\t\t\tif ( is_array( $target ) ) {\n \t\t\t\t\tif ( $modify ) {\n-\t\t\t\t\t\techo str_ireplace( '\\\\\\\\', '\\\\', $result['choices'][0]['message']['content'] );\n+\t\t\t\t\t\techo esc_html( str_ireplace( '\\\\\\\\', '\\\\', $result['choices'][0]['message']['content'] ) );\n \t\t\t\t\t} else {\n-\t\t\t\t\t\techo $result['choices'][0]['message']['tool_calls'][0]['function']['arguments'];\n+\t\t\t\t\t\techo esc_html( $result['choices'][0]['message']['tool_calls'][0]['function']['arguments'] );\n \t\t\t\t\t}\n \t\t\t\t} else { \u002F\u002F _content\n \t\t\t\t\techo json_encode( array( '_content' => trim( $result['choices'][0]['message']['content'], '\"' ) ) );","An authenticated contributor creates or edits a post and inserts a [bt_bb_button] shortcode. They set the 'text' attribute to an XSS payload, such as '\u003Cimg src=x onerror=alert(domain)>'. When the page is viewed or loaded in the builder, the plugin's front-end rendering engine processes the shortcode attributes. Because the 'text' attribute is configured with a 'js_handler' of type 'inner_html', the builder's JavaScript logic assigns the unescaped payload directly to the 'innerHTML' property of the button's text container, resulting in script execution.","gemini-3-flash-preview","2026-05-14 16:58:40","2026-05-14 16:59:19",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","4.9.8","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbold-page-builder\u002Ftags\u002F4.9.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbold-page-builder.4.9.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbold-page-builder\u002Ftags\u002F5.6.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbold-page-builder.5.6.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbold-page-builder\u002Ftags"]