Bold Page Builder (<= 5.6.8) — Authenticated Contributor Stored XSS (CVE-2026-3694) — Risk, Detection & Practical Mitigation

Plugin Name	Bold Page Builder
Type of Vulnerability	Cross-Site Scripting (XSS)
CVE Number	CVE-2026-3694
Urgency	Medium
CVE Publish Date	2026-05-13
Source URL	CVE-2026-3694

Bold Page Builder (<= 5.6.8) — Authenticated Contributor Stored XSS (CVE-2026-3694)

Date: 2026-05-14 · Author: Hong Kong Security Expert · Tags: WordPress, XSS, Vulnerability, Bold Page Builder, Incident Response

Summary: A stored cross-site scripting (XSS) vulnerability (CVE-2026-3694) affecting Bold Page Builder versions ≤ 5.6.8 allows an authenticated contributor to store a payload that may execute when a privileged user interacts with the affected page/builder. The issue was patched in version 5.6.9. This article explains risk, exploitation scenarios, detection methods, hardening recommendations and practical mitigations you can apply immediately.

Quick facts (at a glance)

Vulnerability: Stored Cross-Site Scripting (XSS)
Affected plugin: Bold Page Builder (WordPress)
Vulnerable versions: ≤ 5.6.8
Patched in: 5.6.9
CVE: CVE-2026-3694
CVSS (reported): 6.5
Required privilege to inject: Contributor (authenticated user)
Exploitation nuance: user interaction required (execution triggered when a privileged user views or interacts with crafted content)
Immediate remediation: Update plugin to 5.6.9 or later; if you cannot, apply virtual patching / WAF rules and restrict privileges

Why this matters — explained by a Hong Kong security expert

Stored XSS is dangerous because malicious code injected into content persists in your database and executes in the browsers of users who view that content. When a low-privilege authenticated user (Contributor) can store such content, the risk is real and practical:

Injected scripts can run in the browser of an editor or administrator when they open the page in the editor, preview, or builder UI. From there the script can steal authentication cookies, perform actions on behalf of the privileged user, export data or plant further persistent payloads.
Attackers commonly automate discovery and injection once a vulnerability is public — mass campaigns will attempt to create or compromise Contributor-level accounts to drop payloads.

Because the vulnerability requires privileged-user interaction, it is not an immediate anonymous remote takeover. However, this scenario is frequently abused against CMS platforms where contributors and external writers have access to page builders. Sites that allow contributors to use the builder remain at risk until patched or adequately protected.

How the attack typically plays out (high-level)

Attacker registers or compromises a Contributor account.
Using the page builder interface or plugin inputs, the attacker stores malicious markup (crafted to bypass naive filters) into post content or builder fields.
A privileged user (Editor/Admin) later opens the page in the builder or preview, or clicks a link that triggers the payload. In that privileged browser context the payload can perform privileged actions.
Attacker leverages the privileged browser context to escalate: cookie theft, CSRF-like actions, storing additional content/backdoors and potentially achieving full site compromise.

Note: the vulnerability requires user interaction by a privileged user to trigger execution.

Detection: signs you may already be affected

If you are investigating possible compromise, check these indicators.

Database and content checks

Posts, pages and builder meta containing suspicious tags such as
Unexpected JavaScript embedded in post content, postmeta, or builder JSON/meta fields.
New or changed content authored by Contributor accounts you don’t recognise.

WordPress audit and activity logs

Unexplained content saves, especially by Contributor accounts.
Admin/editor activity shortly after content was added by lower-privilege users.
New user registrations followed by immediate page content changes.

Server and access logs

Requests to builder endpoints (AJAX endpoints) with unusual base64 strings or payload-like content in POST bodies.
Requests that coincide with privileged-user actions shortly after a Contributor saved content.

Filesystem indicators

New files in uploads or plugin/theme directories around suspicious activity times.
Modified PHP files or files with obfuscated content (search for base64_decode, eval, etc.).

Post-exploitation artifacts

Unexpected admin users created.
Unexpected outbound connections from the site to external IPs.
Modified cron jobs or scheduled events that trigger malicious code.

Probing with queries

Use WP-CLI or SQL to search for likely payloads. Run on a safe environment or after a backup.

# Find posts containing 
			
				
			
					
							
			
			
			





		
		
					
				       
    
  
  
 
 
    
  Review My Order
 0 
    
 
    Suggested for you
    
   
 
 
   
 
     Subtotal
 Taxes & shipping calculated at checkout
 
   
 
     Checkout  
 
 
 
 
 
  
 
      
 0 
 














































Notifications

        
        
        


        
        

    
            
            English
            
                                    Chinese (Hong Kong)                                    Chinese (China)                                    Spanish                                    Hindi                                    French

Security Advisory XSS in Bold Page Builder(CVE20263694)