The Bold Page Builder plugin for WordPress suffers from a stored cross-site scripting (XSS) vulnerability identified as CVE-2025-12803. This vulnerability is due to improper neutralization of script-related HTML tags (CWE-80) within the 'bt_bb_tabs' shortcode, where user-supplied attributes are insufficiently sanitized and output escaping is inadequate. Consequently, authenticated attackers with contributor-level privileges or higher can embed arbitrary JavaScript code into pages or posts. When other users access these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or defacement. The vulnerability affects all versions up to and including 5.5.1 of the plugin. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, privileges required, no user interaction, and a scope change. The impact primarily affects confidentiality and integrity, with no direct availability impact. No public exploits have been reported yet, but the vulnerability's nature makes it a significant risk for WordPress sites using this plugin, especially those allowing contributor-level users to create or edit content.

This vulnerability enables attackers with contributor-level access to inject persistent malicious scripts into website content, which execute in the context of any user visiting the infected pages. The potential impacts include theft of authentication cookies or tokens, enabling session hijacking, unauthorized actions performed on behalf of users, defacement of website content, and possible redirection to malicious sites. For organizations, this can lead to compromised user accounts, loss of customer trust, reputational damage, and potential regulatory consequences if user data is exposed. Since WordPress powers a significant portion of websites globally, and Bold Page Builder is a popular plugin, the scope of affected systems is substantial. The requirement for authenticated access limits exploitation to insiders or compromised accounts, but the low attack complexity and no need for user interaction increase the risk. The vulnerability does not affect system availability but can severely impact confidentiality and integrity of web applications.

Organizations should immediately update the Bold Page Builder plugin to a patched version once available. In the absence of an official patch, administrators should restrict contributor-level access to trusted users only and audit existing content for injected scripts. Employing a Web Application Firewall (WAF) with rules to detect and block malicious script payloads in shortcode attributes can provide interim protection. Additionally, implementing Content Security Policy (CSP) headers can mitigate the impact of injected scripts by restricting script execution sources. Regularly scanning WordPress sites with security plugins that detect XSS vulnerabilities and monitoring user activity logs for suspicious behavior is advised. Developers should review and enhance input validation and output encoding in the plugin's shortcode handling to prevent future occurrences. Finally, educating content contributors about safe content practices reduces the risk of accidental injection.