CVE-2025-12803 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Bold Page Builder plugin for WordPress, specifically in the 'bt_bb_tabs' shortcode. This vulnerability stems from insufficient input sanitization and output escaping of user-supplied attributes, allowing an attacker with authenticated contributor-level access or higher to inject arbitrary JavaScript code into pages. Because the malicious script is stored within the page content, it executes every time the page is accessed by any user, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability affects all versions up to and including 5.5.1 of the plugin. The CVSS 3.1 score of 6.4 reflects a medium severity, with an attack vector of network, low attack complexity, requiring privileges (PR:L), no user interaction, and scope change (S:C), impacting confidentiality and integrity but not availability. No public exploits have been reported yet, but the risk remains significant due to the potential for privilege escalation and persistent script injection. The vulnerability is categorized under CWE-80, indicating improper neutralization of script-related HTML tags. The issue was reserved in November 2025 and published in February 2026. Since the plugin is widely used in WordPress environments, this vulnerability poses a risk to many websites that rely on it for page building and content management.

For European organizations, the impact of this vulnerability can be substantial, especially for those relying on WordPress sites with the Bold Page Builder plugin installed. Exploitation could lead to unauthorized script execution, resulting in session hijacking, data theft, defacement, or distribution of malware to site visitors. This can damage organizational reputation, lead to regulatory non-compliance (e.g., GDPR breaches due to data exposure), and cause operational disruptions. Since the vulnerability requires contributor-level access, insider threats or compromised contributor accounts pose a significant risk. Attackers could leverage this to escalate privileges or pivot to more critical systems. The scope of affected systems is broad given WordPress’s popularity in Europe, and the medium severity rating suggests a moderate but actionable risk. Organizations with public-facing websites, e-commerce platforms, or customer portals using this plugin are particularly vulnerable. The absence of known exploits in the wild provides a window for proactive mitigation, but the potential for targeted attacks remains high.

1. Immediately update the Bold Page Builder plugin to a patched version once available from the vendor. 2. Until a patch is released, restrict contributor-level and higher privileges to trusted users only, minimizing the risk of malicious script injection. 3. Implement Web Application Firewalls (WAFs) with custom rules to detect and block suspicious script injection attempts targeting the 'bt_bb_tabs' shortcode. 4. Conduct regular audits of user-generated content for unexpected scripts or HTML tags, especially in pages using the vulnerable shortcode. 5. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected websites. 6. Monitor logs for unusual activity or changes in page content that could indicate exploitation attempts. 7. Educate content contributors about secure content practices and the risks of injecting untrusted code. 8. Consider disabling or replacing the Bold Page Builder plugin if immediate patching is not feasible, especially on high-risk or critical sites.