CVE-2025-15267 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, affecting the Bold Page Builder plugin for WordPress. This vulnerability exists due to insufficient sanitization and escaping of user-supplied attributes within the plugin's bt_bb_accordion_item shortcode. Specifically, authenticated users with contributor-level permissions or higher can inject arbitrary JavaScript code into pages via this shortcode. Because the malicious script is stored in the page content, it executes every time the page is accessed by any user, including administrators and visitors. This persistent XSS can lead to session hijacking, privilege escalation, defacement, or distribution of malware. The vulnerability affects all versions up to and including 5.5.7 of the plugin. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability was publicly disclosed in early 2026, with Wordfence as the assigner. Given the widespread use of WordPress and the popularity of page builder plugins, this vulnerability poses a significant risk to websites that allow contributor-level users to create or edit content without strict input validation controls.

The impact of CVE-2025-15267 is primarily on the confidentiality and integrity of affected WordPress sites. Successful exploitation allows an attacker with contributor-level access to inject persistent malicious scripts that execute in the context of any user viewing the infected page. This can lead to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, or distribution of malware. While availability is not directly affected, the reputational damage and potential data breaches can be severe. Organizations relying on the Bold Page Builder plugin for content management are at risk of internal threat actors or compromised contributor accounts abusing this flaw. Since contributor roles are commonly assigned to less trusted users, the attack surface is significant. The vulnerability could also be leveraged as a stepping stone for further attacks within the network or to pivot to higher privilege accounts. The lack of known exploits currently reduces immediate risk but does not diminish the urgency for remediation given the ease of exploitation and broad scope.

To mitigate CVE-2025-15267, organizations should immediately restrict contributor-level user permissions to trusted individuals and audit existing contributors for suspicious activity. Until an official patch is released, administrators can disable or remove the Bold Page Builder plugin if feasible. Alternatively, implement web application firewall (WAF) rules to detect and block malicious script injections targeting the bt_bb_accordion_item shortcode parameters. Employ strict input validation and output encoding on user-generated content, especially for shortcodes and dynamic page elements. Regularly monitor logs for unusual content changes or script injections. Educate content contributors about safe content practices and the risks of embedding scripts. Once a patch is available, prioritize prompt updating of the plugin to the fixed version. Additionally, consider deploying Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on the website. Conduct periodic security assessments and penetration tests focusing on user input handling in WordPress plugins.