Security Alert Summary
The Bold Page Builder plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in its Post Grid component that allows authenticated users with Author-level access and above to inject JavaScript that will run when a page containing the injected content is viewed. The issue is caused by insufficient input sanitization and output escaping in the affected component.
CVE Details
- CVE ID: CVE-2025-13463
- Affected component: Bold Page Builder plugin — Post Grid component
- Affected versions: All versions up to and including 5.5.3
- Fixed version: Not specified in the CVE entry
- Published: February 7, 2026 at 6:16:03 AM UTC
- Last modified: February 7, 2026 at 6:16:03 AM UTC
- CVSS v3.1: Base Score 6.4, Severity MEDIUM, Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- Authentication / privileges / user interaction: Requires authenticated user privileges (Privileges Required: Low). The CVE description specifies exploitation by users with Author-level access and above. User interaction is not required (UI:N).
- Primary impact: Confidentiality: Low; Integrity: Low; Availability: None
- CWE / weakness: CWE-79 (Improper Neutralization of Input During Web Page Generation)
Technical Details
The vulnerability is a stored cross-site scripting (XSS) issue in the plugin’s Post Grid component caused by insufficient input sanitization and missing or inadequate output escaping. As a result, an authenticated user with Author-level access or higher can inject arbitrary web scripts into content rendered by the Post Grid. Those scripts execute in the context of any site visitor who views the injected page.
The CVE references the Post Grid implementation files (for example, bt_bb_css_post_grid.js and bt_bb_css_post_grid.php), indicating the issue is located in the Post Grid component code where input is accepted and later rendered without proper sanitization and escaping. Because the flaw is stored, injected payloads persist and execute on page view.
Impact is limited to actions possible via client-side script execution in the context of a user viewing the affected page (for example, reading or manipulating DOM-visible data available to that user, altering displayed content, or conducting actions that can be performed through the user’s browser). The CVSS data indicates this issue does not directly affect availability.
How This Could Impact Your Website
Consider a site with multiple users: a site owner who manages overall settings, internal staff who publish content, and an external contractor who contributes posts. If an authenticated contributor or author account is able to add content that the Post Grid renders without proper escaping, that account could store a script that runs when other users (including administrators or editors) view the affected page.
Practical consequences include exposure of data visible in the browser (for example, user interface elements or client-side data), increased risk of targeted phishing or social engineering against staff if attacker-controlled scripts harvest contact information displayed on pages, and unauthorized actions performed via the victim’s browser session (limited to what the browser and page context allow). The CVSS impacts indicate confidentiality and integrity are affected at a low level; full site compromise is not described in the CVE entry.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially Contributor- and Author-level accounts.
- Enforce strong passwords and enable two-factor authentication for Editors and Administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and logs for unusual behavior, such as unexpected content changes or injection indicators.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/bold-page-builder/tags/5.5.3/content_elements/bt_bb_css_post_grid/bt_bb_css_post_grid.js#L8
- https://plugins.trac.wordpress.org/browser/bold-page-builder/tags/5.5.3/content_elements/bt_bb_css_post_grid/bt_bb_css_post_grid.php#L46
- https://www.wordfence.com/threat-intel/vulnerabilities/id/865ff4bf-608e-45f0-a160-35581b82cc2b?source=cve