Security Alert Summary
The Bold Page Builder plugin contains a stored cross-site scripting (XSS) vulnerability in the bt_bb_accordion_item shortcode. Insufficient input sanitization and output escaping on user-supplied shortcode attributes allow authenticated users with contributor-level access or higher to inject scripts that execute when a page containing the injected content is viewed.
CVE Details
- CVE ID:
CVE-2025-15267 - Affected component: Bold Page Builder plugin (the
bt_bb_accordion_itemshortcode) - Affected versions: all versions up to, and including, 5.5.7 (as stated in the CVE entry)
- Published: February 7, 2026 at 6:16:03 AM
- Last modified: February 7, 2026 at 6:16:03 AM
- CVSS v3.1: Base Score 6.4 — MEDIUM; Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N - Authentication / privileges / user interaction: Privileges Required: LOW (contributor-level or higher); User Interaction: NONE
- Primary impact: Confidentiality: LOW; Integrity: LOW; Availability: NONE
- CWE / weakness: CWE-79 (Stored Cross-Site Scripting)
Technical Details
The vulnerability is a stored cross-site scripting issue caused by insufficient input sanitization and lack of proper output escaping for user-supplied attributes on the plugin’s bt_bb_accordion_item shortcode. Because attributes provided to that shortcode are not properly sanitized or escaped before being stored or rendered, an authenticated user with contributor-level access or higher can inject arbitrary JavaScript into page content.
The injected script is stored in content associated with the shortcode and will execute in the browsers of users who view the affected page. The CVE entry attributes the problem specifically to the shortcode handling and notes the absence of adequate input validation and escaping measures.
How This Could Impact Your Website
Consider a site where an editor, a contributor, and an external freelancer each manage content. A contributor could add a malicious script via the vulnerable bt_bb_accordion_item shortcode while editing or creating a page. When other users — including site administrators or site visitors with elevated privileges — view that page, the script may execute in their browsers.
Practical consequences aligned with the CVSS impact include exposure of limited confidential data accessible in a user’s browser context (for example, email addresses visible on the page or session-scoped information), and increased risk of targeted phishing or social engineering against staff whose browsers executed the injected script. The vulnerability does not indicate direct site-wide administrative takeover or availability disruption in the CVE entry, but it does permit client-side script execution with the risks noted above.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available. (The CVE entry specifies affected versions up to 5.5.7; a fixed version is not specified in the CVE entry.)
- Review and reduce unnecessary user roles, especially contributor-level accounts that can add or edit content.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and content changes for unusual behavior or unexpected additions to page content.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.