CVE-2024-3266 in Bold Page Builder Plugin
Summary
by MITRE • 04/10/2024
The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the URL attribute of widgets in all versions up to, and including, 4.8.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 04/08/2025
The vulnerability identified as CVE-2024-3266 affects the Bold Page Builder plugin for WordPress, a widely used tool for creating custom page layouts and content structures. This plugin has been identified as susceptible to stored cross-site scripting attacks through the URL attribute of widgets, impacting all versions up to and including 4.8.8. The flaw represents a critical security weakness that allows attackers with contributor-level privileges or higher to execute malicious scripts within the context of the victim's browser, potentially compromising user sessions and accessing sensitive data.
The technical root cause of this vulnerability lies in the plugin's inadequate input sanitization and output escaping mechanisms for user-supplied attributes. When administrators or contributors add widgets containing URL attributes to pages, the plugin fails to properly validate or sanitize the input data before storing it in the database. This stored data is then later rendered on pages without proper escaping, creating an environment where malicious scripts can persist and execute whenever users view pages containing the compromised widget content. The vulnerability specifically targets the URL attribute handling within widget configurations, making it possible for attackers to inject JavaScript code that will execute in the browsers of any user who accesses pages containing these malicious elements.
The operational impact of this vulnerability is significant for WordPress installations using the affected plugin version. Attackers with contributor-level access or higher can exploit this weakness to inject malicious scripts that may perform various harmful actions including session hijacking, credential theft, data exfiltration, or redirection to malicious websites. The stored nature of the XSS vulnerability means that once an attacker successfully injects malicious code, it will persist and execute automatically whenever users access the affected pages, potentially affecting multiple users over extended periods. This makes the vulnerability particularly dangerous as it can be used to create persistent backdoors or launch more sophisticated attacks against the compromised WordPress installation.
Organizations should immediately update to the latest version of the Bold Page Builder plugin where this vulnerability has been patched, as the fix typically involves implementing proper input validation and output escaping mechanisms. System administrators should also conduct thorough security audits of their WordPress installations to identify any existing malicious scripts that may have been injected through this vulnerability. Additionally, implementing proper access controls and privilege management can help limit the potential impact of such vulnerabilities by restricting contributor-level access to only necessary functions and preventing unauthorized widget modifications. The vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws, and may be mapped to ATT&CK technique T1566.001 for initial access through malicious content, emphasizing the importance of input validation and output escaping as core security controls.