Security Alert Summary
The Bold Page Builder plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in the bt_bb_raw_content shortcode. Authenticated users with contributor-level access or higher can inject scripts via user-supplied shortcode attributes, which will execute when a page containing the injected content is viewed.
CVE Details
- CVE ID: CVE-2025-12159
- Affected component: Bold Page Builder plugin (issue in the
bt_bb_raw_contentshortcode) - Affected versions: All versions up to and including 5.4.8
- Published: February 7, 2026 at 6:16 AM UTC
- Last modified: February 7, 2026 at 6:16 AM UTC
- CVSS v3.1: Base Score 6.4 — MEDIUM; Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N - Authentication / privileges / user interaction: Authentication required — attacker must be an authenticated user with low privileges (PR:L), consistent with contributor-level access or above; no user interaction required (UI:N).
- Primary impact: Confidentiality: Low; Integrity: Low; Availability: None
- CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation, i.e., Cross-site Scripting)
Technical Details
The vulnerability is a stored cross-site scripting (XSS) issue rooted in insufficient input sanitization and output escaping of user-supplied attributes for the bt_bb_raw_content shortcode. Because attribute values are not properly sanitized or escaped before being stored or rendered, an authenticated user with contributor-level privileges or higher can inject arbitrary script content into a page. The injected script is stored in the page content and will execute in the browsers of users who view the affected page.
The CVE description specifically identifies the bt_bb_raw_content shortcode and points to missing input validation and output escaping as the cause. No additional endpoints or functions are named in the CVE beyond this shortcode reference.
Impact is limited to what stored XSS typically enables in the context of page rendering: execution of attacker-supplied scripts in the context of the site for visitors of the injected page. The CVSS metrics indicate confidentiality and integrity impacts are low and availability is not affected.
How This Could Impact Your Website
Consider a small team managing a WordPress site: the site owner, a content editor, and an external contractor with contributor access. If the contractor (or any user with contributor-level access) inserts a malicious attribute value into the bt_bb_raw_content shortcode, that page will store the injected script. When other users—staff, administrators, or site visitors—view the page, the script can execute in their browsers.
Practical consequences include disclosure of data accessible in a visitor’s browser context (for example, session tokens or profile information visible to the page), and increased risk of targeted phishing or social-engineering attacks against staff or frequent visitors. The integrity of page content could be affected in ways visible to users, but the vulnerability does not indicate direct server-side compromise or availability impact.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available. (The CVE notes affected versions up to and including 5.4.8.)
- Review and reduce unnecessary user roles, especially contributors — restrict who can add or edit shortcode content.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins to reduce attack surface.
- Monitor site activity and page content for unusual changes or unexpected script tags in rendered pages.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
