Bold Page Builder Plugin Vulnerability (CVE-2026-3694)

Security Alert Summary

The Bold Page Builder plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in the bt_bb_button shortcode’s text attribute. Authenticated users with contributor-level access or higher can inject scripts that execute when other users view the affected pages. The issue is caused by insufficient input sanitization and output escaping of user-supplied attributes.

CVE Details

• CVE ID: CVE-2026-3694
• Affected component: Bold Page Builder plugin for WordPress
• Affected versions: All versions up to, and including, 5.6.8
• Published: May 14, 2026 at 7:16:18 AM UTC
• Last modified: May 14, 2026 at 2:28:41 PM UTC
• CVSS v3.1: Base score 6.4, MEDIUM — CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
• Authentication / privileges: Attacker requires authenticated access; privilege required: low (contributor-level access and above). User interaction: none.
• Primary impact: Confidentiality: Low; Integrity: Low; Availability: None
• Weakness (CWE): CWE-79 (Improper Neutralization of Input During Web Page Generation – Cross-site Scripting)

Technical Details

This vulnerability allows stored cross-site scripting via the text attribute of the bt_bb_button shortcode. The plugin fails to properly sanitize input provided in that attribute and does not escape the value on output, allowing an attacker to inject arbitrary JavaScript into the page content. Because the injected content is stored in the page and rendered to visitors, the script will run whenever a user accesses the page containing the malicious shortcode.

The root cause is insufficient input validation and missing output escaping for user-supplied shortcode attributes. The vulnerability requires an authenticated user with contributor-level privileges or higher to add or edit page content that contains the vulnerable shortcode attribute.

How This Could Impact Your Website

Consider a site where a site owner delegates content creation to internal staff and external contributors. A contributor could insert a malicious bt_bb_button shortcode with crafted text content into a page or post. When other users, including editors or administrators, view that page, the injected script can execute in their browsers. Practical consequences include exposure of session cookies or other data accessible in the browser context and the potential for actions performed in the context of the victim user.

Real-world impacts may include exposure of internal user email addresses visible on affected pages and an increased risk of targeted phishing or social engineering using data harvested from a successful XSS exploit. If youre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

• Update the affected plugin as soon as a patched version is available.
• Review and reduce unnecessary user roles, especially contributor accounts that can submit content.
• Enforce strong passwords and enable two-factor authentication for editors and administrators.
• Remove unused or unmaintained plugins from your site.
• Monitor site activity and logs for unusual behavior related to content changes or unexpected page output.

If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

• https://plugins.trac.wordpress.org/changeset/3479329/bold-page-builder
• https://www.wordfence.com/threat-intel/vulnerabilities/id/b28ad91f-40fa-476e-b41f-da4dd2372e21?source=cve