CVE-2024-1157 identifies a stored cross-site scripting (XSS) vulnerability in the Bold Page Builder plugin for WordPress, present in all versions up to and including 4.8.0. The vulnerability stems from improper neutralization of input during web page generation (CWE-79), specifically in the plugin's button URL parameter. Authenticated users with contributor-level or higher permissions can inject arbitrary JavaScript code into pages by submitting crafted input into the button URL field. Because the input is not properly sanitized or escaped before being rendered, the malicious script is stored persistently and executed in the context of any user who views the affected page. This can lead to session hijacking, privilege escalation, or other attacks that compromise user confidentiality and integrity. The vulnerability requires authentication and user interaction (visiting the infected page) to trigger. The CVSS 3.1 base score is 5.4, reflecting network attack vector, low attack complexity, privileges required, user interaction needed, and partial confidentiality and integrity impact but no availability impact. No public exploits have been reported yet. The vulnerability highlights the risks of insufficient input validation in WordPress plugins, especially those that allow content creation by multiple user roles.

The primary impact of this vulnerability is the potential compromise of user confidentiality and integrity within affected WordPress sites. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of site visitors, including administrators, potentially leading to session hijacking, theft of sensitive information, or unauthorized actions performed on behalf of users. While availability is not directly affected, the reputational damage and trust loss from defacement or data leakage can be significant. Organizations relying on the Bold Page Builder plugin may face increased risk of targeted attacks, especially if they allow multiple contributors or editors to create content. The vulnerability could be leveraged in phishing campaigns or lateral movement within compromised environments. Since the attack requires authentication, the risk is somewhat mitigated but remains significant in environments with many contributors or weak access controls.

To mitigate CVE-2024-1157, organizations should immediately update the Bold Page Builder plugin to a patched version once available. Until a patch is released, restrict contributor-level and higher permissions to trusted users only, minimizing the risk of malicious input. Implement web application firewalls (WAFs) with custom rules to detect and block suspicious script injections in button URL parameters. Conduct regular audits of content created by contributors to identify and remove injected scripts. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected sites. Additionally, harden WordPress user roles and permissions to limit the number of users who can create or edit pages. Monitor logs for unusual activity related to page edits or script injections. Educate content creators about the risks of injecting untrusted content. Finally, consider isolating or sandboxing critical administrative accounts to reduce the impact of potential XSS exploitation.