1. What is this vulnerability?

This is a stored Cross‑Site Scripting (XSS) vulnerability in Bold Page Builder up to and including version 5.4.3. It is tracked as CVE‑2025‑58194 and fixed in 5.4.4.

In short: the plugin allowed contributor-level users to save content that was not properly sanitized before being rendered to visitors. A malicious or compromised contributor account can therefore embed JavaScript or other HTML payloads that will execute in the browsers of anyone who views the affected pages.

2. Who is affected and why it matters

If your site uses Bold Page Builder and runs version 5.4.3 or earlier, you are potentially affected.

Why this matters:

• Contributor and author roles are common on WordPress sites; many setups allow multiple people to create or edit content.
• Page-builder content is often included directly in rendered page HTML and may be viewed by all visitors, making injected content highly visible and exploitable at scale.
• XSS enables JavaScript execution in visitors’ browsers; consequences include cookie/session theft, forced actions, redirects, malware delivery, and SEO spam insertion.
• Even if a researcher rates the patch priority as low for some contexts, real-world risk depends on your user model and operational exposure.

Sites at highest risk: multi-author blogs, membership or community sites, sites accepting third‑party content, and high‑traffic sites where any injected payload is amplified.

3. Technical analysis — how the XSS works

The disclosure indicates the page builder did not properly sanitize certain user-supplied fields before output. The vector is a typical stored XSS: malicious input is saved in the database (for example, element content or attributes) and later rendered in pages viewed by other users.

Three technical points to note:

1. This is a stored XSS: content authored and saved in the builder is later served to visitors.
2. The plugin failed to escape or sanitize fields on output. Proper WordPress practice is to sanitize input and escape at output; the plugin bypassed one of these protections for certain fields.
3. Privilege required: contributor-level access is sufficient to author the malicious content.

Common injection points in page-builders include custom HTML widgets, element attributes (data-*), inline style/script attributes, and rich text areas when filtering is bypassed.

4. Typical attacker scenarios and impact

Below are realistic actions an attacker with contributor access could perform:

• Steal sessions or cookies: Inject JS that exfiltrates document.cookie or localStorage to an attacker domain.
• Drive-by malware and redirects: Redirect visitors to malicious sites or load third‑party payloads.
• Attack privileged users: Target admins or editors who view infected content to perform privileged operations.
• SEO spam and reputation damage: Inject hidden links, spam content or affiliate redirects.
• Persistent backdoors: Use injected scripts to carry out additional actions (create users, upload files) that lead to deeper compromise.
• Phishing and credential harvesting: Serve fake login dialogs to capture credentials.

Key takeaway: although initial access requires a contributor account, the downstream impact can be broad and severe.

5. How to quickly detect if you’ve been targeted

If you run Bold Page Builder ≤ 5.4.3, check for signs of injected content immediately.

Quick checks

• Inspect recent posts/pages edited by contributors for suspicious HTML:
  Review My Order

  0

  Subtotal

  Taxes & shipping calculated at checkout

  Checkout