CVE-2025-15267 is a stored Cross-Site Scripting vulnerability identified in the Bold Page Builder plugin for WordPress, affecting all versions up to and including 5.5.7. The vulnerability arises from insufficient sanitization and escaping of user-supplied attributes in the plugin's bt_bb_accordion_item shortcode. This flaw allows authenticated attackers with contributor-level access or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the WordPress site. The vulnerability requires no user interaction beyond visiting the compromised page and has a CVSS 3.1 base score of 6.4, indicating medium severity. The attack vector is network-based, with low attack complexity and privileges required at the contributor level, but no user interaction is needed. The scope is changed as the vulnerability affects other users beyond the attacker. No public exploits have been reported to date. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation. The lack of patch links suggests that a fix may not yet be publicly available, emphasizing the need for interim mitigations. This vulnerability is particularly concerning for WordPress sites that allow contributor-level users to add or edit content, as it enables persistent script injection that can affect all visitors to the compromised pages.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of their WordPress-based websites. Attackers with contributor access can inject malicious scripts that execute in the browsers of site visitors, potentially stealing session cookies, redirecting users to malicious sites, or performing unauthorized actions on behalf of users with higher privileges. This can lead to data breaches, defacement, loss of customer trust, and compliance violations under regulations such as GDPR. The vulnerability does not directly impact availability but can indirectly cause service disruptions if exploited for further attacks or site defacement. Organizations that rely heavily on WordPress for their web presence, especially those with multiple contributors or editors, are at higher risk. The medium CVSS score reflects the need for timely remediation but also indicates that exploitation requires some level of authenticated access, somewhat limiting the attack surface. However, insider threats or compromised contributor accounts could be leveraged by attackers to exploit this vulnerability.

1. Immediately restrict contributor-level user permissions to trusted individuals only and review existing contributor accounts for suspicious activity. 2. Monitor and audit content submissions involving the bt_bb_accordion_item shortcode for suspicious or unexpected input. 3. Apply strict input validation and output escaping manually if possible, especially for shortcode attributes, until an official patch is released. 4. Keep the WordPress core, themes, and plugins up to date, and apply the Bold Page Builder plugin update as soon as it becomes available. 5. Implement Web Application Firewall (WAF) rules to detect and block suspicious script injection attempts targeting the vulnerable shortcode. 6. Educate content contributors about the risks of injecting untrusted content and enforce secure content creation policies. 7. Regularly back up website data to enable quick recovery in case of compromise. 8. Consider temporarily disabling or replacing the Bold Page Builder plugin if immediate patching is not possible and the risk is high.