CVE-2025-12159 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Bold Page Builder plugin for WordPress, specifically affecting all versions up to and including 5.4.8. The vulnerability arises from improper neutralization of input during web page generation, classified under CWE-79. The issue is located in the plugin's bt_bb_raw_content shortcode, where user-supplied attributes are not sufficiently sanitized or escaped before being rendered on pages. This flaw allows authenticated attackers with contributor-level privileges or higher to inject arbitrary JavaScript code that is persistently stored and executed in the context of any user who visits the affected page. The attack vector requires network access (remote) and low attack complexity, with privileges required at the contributor level but no user interaction needed for exploitation. The vulnerability impacts confidentiality and integrity by enabling script execution that can hijack sessions, steal cookies, or perform unauthorized actions on behalf of users. The scope is considered changed (S:C) because the vulnerability can affect other users beyond the attacker. The CVSS v3.1 base score is 6.4, reflecting a medium severity level. Currently, there are no known exploits in the wild, and no official patches have been linked yet. The vulnerability was reserved in October 2025 and published in February 2026. The Bold Page Builder plugin is widely used in WordPress sites for page design, making this vulnerability relevant to many web environments that rely on this plugin for content management and presentation.

For European organizations, this vulnerability poses a significant risk to websites using the Bold Page Builder plugin, especially those with multiple contributors or editors. Exploitation can lead to unauthorized script execution, enabling attackers to steal session tokens, perform actions on behalf of legitimate users, or deface websites. This can result in data breaches, loss of user trust, and potential regulatory penalties under GDPR if personal data is compromised. The persistent nature of stored XSS increases the risk as malicious scripts remain active until removed. Organizations with public-facing WordPress sites, particularly in sectors like e-commerce, media, and government, are at higher risk due to the potential impact on customer data and service integrity. The medium severity score indicates moderate urgency, but the ease of exploitation by authenticated users elevates the threat in environments with multiple contributors. Additionally, the cross-site scripting can facilitate further attacks such as phishing or malware distribution, amplifying the potential damage.

Immediate mitigation should focus on restricting contributor-level access to trusted users only, minimizing the risk of malicious input. Administrators should monitor and audit content created via the bt_bb_raw_content shortcode for suspicious scripts. Until an official patch is released, consider disabling or removing the Bold Page Builder plugin if feasible or replacing it with alternative page builders that follow secure coding practices. Implement Web Application Firewalls (WAF) with rules to detect and block common XSS payloads targeting this vulnerability. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected sites. Educate content contributors about safe input practices and the risks of injecting untrusted code. Once a patch becomes available, prioritize updating the plugin promptly. Additionally, perform regular security scans and penetration tests focusing on WordPress plugins to identify similar vulnerabilities proactively.