Security Alert Summary
The Bold Page Builder plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in the bt_bb_tabs shortcode that affects all versions up to and including 5.5.1. Insufficient input sanitization and output escaping of user-supplied attributes allow authenticated users with contributor-level access and above to inject scripts that execute when an affected page is viewed.
CVE Details
- CVE ID:
CVE-2025-12803 - Affected component: Bold Page Builder plugin (vulnerability in the
bt_bb_tabsshortcode) - Affected versions: All versions up to and including 5.5.1
- Published: February 7, 2026 at 6:16:03 AM UTC
- Last modified: February 7, 2026 at 6:16:03 AM UTC
- CVSS v3.1: Base Score 6.4 (MEDIUM) — Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N - Authentication & privileges: Requires an authenticated user with low privileges (contributor-level access and above)
- User interaction: None required to trigger the injected script once a vulnerable page is accessed
- Primary impact: Confidentiality: Low; Integrity: Low; Availability: None
- CWE / weakness: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page)
- Fixed version: Not specified in the CVE entry
Technical Details
The vulnerability is a stored Cross-Site Scripting (XSS) issue resulting from insufficient input sanitization and inadequate output escaping of user-supplied attributes for the bt_bb_tabs shortcode in the Bold Page Builder plugin. Because user-controlled attribute values are stored and later rendered in pages, an authenticated user with contributor-level access or higher can inject arbitrary JavaScript into a page.
The injected script will execute in the browser of any user who visits the page containing the malicious shortcode output. The CVE description and referenced plugin files indicate the issue is located in the bt_bb_tabs implementation (see bt_bb_tabs.php in the plugin code references), where sanitization and escaping checks are insufficient.
Impact is limited to the effects typical of stored XSS: execution of attacker-supplied scripts in the context of the affected site. The available data does not indicate remote code execution on the server or a direct availability impact.
How This Could Impact Your Website
Consider a small team-managed WordPress site where the site owner delegates content creation to internal staff and external contributors. If a contributor-level account is compromised or misused, an attacker could inject JavaScript into a page via the vulnerable shortcode. When editors, administrators, or site visitors view that page, the script could run in their browsers.
- Internal staff or contractors viewing the page could have limited information exposed to the attacker (consistent with the CVSS confidentiality impact being low).
- An attacker could attempt targeted phishing or social engineering using information available to the visitor (for example, displaying malicious prompts or harvesting visible data), increasing the risk to site users.
- Because the CVSS impact to integrity is rated low, the primary risk is manipulation of displayed content or client-side actions rather than full site takeover or server compromise.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles and accounts, especially contributor-level accounts.
- Enforce strong passwords and enable two-factor authentication (2FA) for editors and administrators.
- Remove unused or unmaintained plugins from the site.
- Monitor site activity and logs for unusual behavior or unexpected content changes on pages that use the Bold Page Builder shortcodes.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/bold-page-builder/tags/5.4.8/content_elements/bt_bb_tabs/bt_bb_tabs.php
- https://plugins.trac.wordpress.org/browser/bold-page-builder/tags/5.4.8/content_elements/bt_bb_tabs/bt_bb_tabs.php#L65
- https://www.wordfence.com/threat-intel/vulnerabilities/id/64f30329-ecf2-4e30-bc23-9d447e239e08?source=cve