Attack Vectors

CVE-2026-25451 is a Medium-severity stored cross-site scripting (XSS) issue (CVSS 6.4) affecting Bold Page Builder (slug: bold-page-builder) versions up to and including 5.6.7. The vulnerability can be exploited by an authenticated user with Contributor-level access or higher.

In practical terms, an attacker who can log into WordPress with at least Contributor permissions could inject malicious script content into a page or content element managed by Bold Page Builder. Because it is stored, the injected script can execute later for anyone who views the affected page—potentially including marketing staff, site admins, executives reviewing landing pages, or customers.

This risk is especially relevant for organizations that grant Contributor access to agencies, freelancers, interns, or multiple internal teams, or where account sharing and weak password practices make it easier for an attacker to obtain low-level credentials.

Security Weakness

The underlying weakness is insufficient input sanitization and output escaping in Bold Page Builder (through version 5.6.7). This means the plugin does not adequately clean potentially dangerous input before saving it, and/or does not safely render saved content when displaying it to site visitors.

Because this is an authenticated stored XSS, it is not purely a “drive-by” internet attack; it typically requires a user account. However, Contributor accounts are common in content-heavy environments, which increases exposure. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) also indicates the issue can be triggered over the network with low complexity, requires low privileges, and can impact other parts of the site context.

Remediation note: Per the referenced advisory, there is currently no known patch available. Organizations should evaluate mitigations aligned to their risk tolerance, and it may be best to uninstall the affected software and replace it if the risk is unacceptable.

Technical or Business Impacts

Stored XSS can create immediate business risk even when it originates from a lower-privileged account. Potential impacts include:

Brand and customer trust damage: Malicious scripts can alter page content, inject unwanted pop-ups, or redirect visitors—undermining trust in marketing campaigns, landing pages, and brand messaging.

Credential and session risk: Depending on how the injected scripts are used, attackers may attempt to capture user actions or leverage authenticated sessions when privileged users (such as administrators or marketing managers) view compromised pages.

Compliance and privacy exposure: If pages handling customer data, lead forms, or tracking scripts are modified, the organization may face privacy concerns and regulatory scrutiny, especially if users are redirected or manipulated without consent.

Operational disruption: Incident response can consume significant time across Marketing, IT, and Compliance—campaigns may need to be paused, pages audited, and content restored, impacting revenue and timelines.

Given the absence of a known patch, risk-based mitigations may include removing/replacing Bold Page Builder, tightening Contributor permissions, reviewing who has content-edit access, enforcing strong authentication, and auditing existing pages for unexpected scripts—especially high-traffic landing pages and conversion funnels.

Similar Attacks

Stored XSS in WordPress plugins has been a recurring issue across the ecosystem, often allowing authenticated users to inject scripts that execute for site visitors or admins. For context, here are a few real examples:

CVE-2021-24284 (WP HTML Mail plugin) – a stored XSS example affecting WordPress plugin functionality.

CVE-2019-9978 (Social Warfare plugin) – a widely reported WordPress plugin issue involving script injection risk.

CVE-2022-21661 (WordPress core) – an example of how script-related vulnerabilities can impact broad WordPress deployments.