CVE-2024-3267 identifies a stored cross-site scripting (XSS) vulnerability in the Bold Page Builder plugin for WordPress, specifically in the bt_bb_price_list shortcode. This vulnerability stems from insufficient sanitization and escaping of user-supplied attributes, allowing authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. Because the malicious script is stored persistently, it executes every time a user accesses the compromised page, potentially affecting administrators, editors, and site visitors. The vulnerability impacts all versions up to and including 4.8.8 of the plugin. The CVSS 3.1 score of 6.4 reflects a medium severity, with network attack vector, low attack complexity, and privileges required at the contributor level. The scope is changed, indicating that the vulnerability can affect resources beyond the initially compromised component. The impact includes limited confidentiality and integrity loss but no availability impact. No public exploits have been reported yet, but the vulnerability poses a significant risk in multi-user WordPress environments where contributors can add content. The lack of output escaping and input validation in the shortcode's attribute handling is the root cause, making it a classic example of CWE-79. Mitigation requires patching the plugin once updates are available or applying manual input validation and output escaping as a temporary measure.

The primary impact of this vulnerability is the potential for attackers with contributor-level access to inject persistent malicious scripts into WordPress pages, which execute in the browsers of any users visiting those pages. This can lead to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, defacement, or distribution of malware. Since the vulnerability requires authenticated access, it is less likely to be exploited by external anonymous attackers but poses a significant risk in environments with multiple contributors or editors, such as corporate blogs, news sites, or community portals. The confidentiality and integrity of user data and site content can be compromised, undermining trust and potentially causing reputational damage. The vulnerability does not affect availability directly but can facilitate further attacks that may disrupt services. Organizations relying on the Bold Page Builder plugin for critical or high-traffic websites are at risk of targeted attacks, especially if they do not restrict contributor permissions or monitor injected content.

1. Immediately update the Bold Page Builder plugin to a patched version once it becomes available from the vendor. 2. Until a patch is released, restrict contributor-level and higher permissions to trusted users only, minimizing the risk of malicious script injection. 3. Implement a web application firewall (WAF) with rules to detect and block common XSS payloads targeting the bt_bb_price_list shortcode attributes. 4. Conduct manual code review and sanitize all user inputs related to the shortcode attributes by applying strict whitelist validation and proper output escaping in the plugin code if feasible. 5. Monitor website content for unexpected script injections or anomalies, especially in pages using the vulnerable shortcode. 6. Educate content contributors about safe content practices and the risks of injecting untrusted code. 7. Regularly audit user permissions and remove unnecessary contributor or editor roles. 8. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on the website. 9. Backup website data frequently to enable quick restoration if exploitation occurs.