CVE-2025-7730 in Bold Page Builder Plugin
Summary
by MITRE • 10/24/2025
The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘percentage’ parameter in all versions up to, and including, 5.4.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 10/24/2025
The vulnerability identified as CVE-2025-7730 affects the Bold Page Builder plugin for WordPress, specifically targeting versions up to and including 5.4.5. This represents a critical security flaw that exploits stored cross-site scripting vulnerabilities within the plugin's handling of user input. The vulnerability manifests through the 'percentage' parameter which lacks proper input sanitization and output escaping mechanisms, creating a persistent vector for malicious code injection that can affect all users who access compromised pages.
The technical flaw resides in the plugin's insufficient validation and sanitization of the 'percentage' parameter, which is typically used for configuring various layout elements within the page builder interface. When authenticated users with Contributor level access or higher submit content containing malicious script code through this parameter, the system fails to properly sanitize the input before storing it in the database. This stored malicious content then executes whenever any user accesses the affected page, making it a classic stored XSS vulnerability that operates outside the typical context of reflected attacks.
The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with the ability to manipulate page content in ways that can compromise user sessions, steal sensitive data, or redirect users to malicious sites. Since the vulnerability requires only Contributor-level access, it represents a significant risk to WordPress installations where multiple users have editing privileges, as attackers can exploit this to gain unauthorized access to user data or perform actions on behalf of legitimate users. The persistent nature of stored XSS means that once a page is compromised, the malicious script will continue to execute for all users who access that content until the vulnerability is patched and the malicious code is removed from the database.
Organizations should immediately update to the latest version of the Bold Page Builder plugin where this vulnerability has been addressed through proper input sanitization and output escaping mechanisms. Security teams should also implement monitoring for suspicious user activity and content modifications, particularly around areas where the percentage parameter is utilized. This vulnerability aligns with CWE-79 which defines Cross-Site Scripting as a weakness that allows attackers to inject malicious scripts into web applications, and it maps to ATT&CK technique T1566.001 which covers Spearphishing Attachments, as attackers could potentially use this vulnerability to deliver malicious payloads through compromised pages. The remediation process should include thorough scanning of affected sites for existing malicious content and implementing proper input validation to prevent similar issues in other plugin components.