← back to popular plugins
wordfence / plugin · bold-page-builder
Bold Page Builder
bold-page-builder
total installs
40,000
total vulns
14
critical
0
high
0
medium
14
low
0
latest vuln
—
patched
10
unpatched
4
avg time to patch
—
vulnerabilities
(14)
Bold Page Builder <= 5.6.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via bt_bb_button Shortcode
medium
✓ patched
cve id
CVE-2026-3694 ↗
cvss score
6.4
cwe
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published
May 13, 2026
The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' attribute of the bt_bb_button shortcode in all versions up to, and including, 5.6.8. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Bold Page Builder <= 5.4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
medium
✕ unpatched
cve id
CVE-2025-12159 ↗
cvss score
6.4
cwe
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published
Feb 6, 2026
The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bt_bb_raw_content shortcode in all versions up to, and including, 5.4.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Bold Page Builder <= 5.5.3 - Authenticated (Author+) Stored DOM-based Cross-Site Scripting in Post Grid
medium
✕ unpatched
cve id
CVE-2025-13463 ↗
cvss score
6.4
cwe
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published
Feb 6, 2026
The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Grid component in all versions up to, and including, 5.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Bold Builder <= 5.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via bt_bb_tabs Shortcode
medium
✕ unpatched
cve id
CVE-2025-12803 ↗
cvss score
6.4
cwe
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
published
Feb 6, 2026
The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin 'bt_bb_tabs' shortcode in all versions up to, and including, 5.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Bold Page Builder <= 5.5.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via bt_bb_accordion_item Shortcode
medium
✕ unpatched
cve id
CVE-2025-15267 ↗
cvss score
6.4
cwe
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published
Feb 6, 2026
The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bt_bb_accordion_item shortcode in all versions up to, and including, 5.5.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Bold Page Builder <= 5.6.9 - Authenticated (Contributor+) Stored Cross-Site Scripting
medium
✓ patched
cve id
CVE-2026-25451 ↗
cvss score
6.4
cwe
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published
Jan 20, 2026
The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 5.6.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Bold Page Builder <= 5.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
medium
✓ patched
cve id
CVE-2025-66057 ↗
cvss score
6.4
cwe
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published
Nov 27, 2025
The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 5.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Bold Page Builder <= 5.4.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via `percentage` Parameter
medium
✓ patched
cve id
CVE-2025-7730 ↗
cvss score
6.4
cwe
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published
Oct 23, 2025
The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘percentage’ parameter in all versions up to, and including, 5.4.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Bold Page Builder <= 5.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
medium
✓ patched
cve id
CVE-2025-58194 ↗
cvss score
6.4
cwe
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published
Aug 27, 2025
The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 5.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Bold Page Builder <= 5.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
medium
✓ patched
cve id
CVE-2025-54006 ↗
cvss score
6.4
cwe
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published
Jul 16, 2025
The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 5.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Bold Builder <= 5.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via additional_settings Parameter
medium
✓ patched
cve id
CVE-2025-5286 ↗
cvss score
6.4
cwe
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published
May 28, 2025
The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘additional_settings’ parameter in all versions up to, and including, 5.3.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Bold Page Builder <= 5.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'data-text' Parameter
medium
✓ patched
cve id
CVE-2025-3715 ↗
cvss score
6.4
cwe
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published
May 17, 2025
The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-text parameter in all versions up to, and including, 5.3.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Bold Page Builder <= 5.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
medium
✓ patched
cve id
CVE-2025-47488 ↗
cvss score
6.4
cwe
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published
May 7, 2025
The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 5.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Bold Page Builder <= 5.3.0 - Authenticated (Administrator+) Stored Cross-Site Scripting
medium
✓ patched
cve id
CVE-2025-47525 ↗
cvss score
4.4
cwe
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published
May 7, 2025
The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 5.3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only impacts multi-site installations and installations where unfiltered_html has been disabled.