CVE-2025-3715 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Bold Page Builder plugin for WordPress, affecting all versions up to and including 5.3.5. The vulnerability arises due to improper neutralization of input during web page generation, specifically through the 'data-text' parameter. This parameter is insufficiently sanitized and escaped, allowing an authenticated attacker with at least Contributor-level privileges to inject arbitrary malicious scripts into pages. These scripts execute whenever any user accesses the compromised page, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the user. The vulnerability is classified under CWE-79, which covers improper input validation leading to XSS. The CVSS v3.1 base score is 6.4 (medium severity), reflecting that the attack vector is network-based, requires low attack complexity, and privileges at the contributor level, but does not require user interaction. The scope is changed (S:C), indicating that the vulnerability affects resources beyond the initially vulnerable component, and the impact affects confidentiality and integrity but not availability. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability was published on May 18, 2025, with the initial reservation on April 16, 2025.

For European organizations using WordPress sites with the Bold Page Builder plugin, this vulnerability poses a significant risk to the confidentiality and integrity of their web applications. Attackers with contributor-level access—often achievable through compromised accounts or weak internal controls—can inject malicious scripts that execute in the context of users visiting the affected pages. This can lead to theft of session cookies, enabling account takeover, unauthorized data access, or manipulation of site content. Given the widespread use of WordPress in Europe for corporate, governmental, and e-commerce websites, exploitation could result in data breaches, reputational damage, and regulatory non-compliance under GDPR. The vulnerability’s ability to affect multiple users and potentially escalate privileges or pivot to other systems increases its threat level. However, the lack of requirement for user interaction and the need for authenticated access somewhat limits the attack surface, but insider threats or compromised contributor accounts remain a concern.

European organizations should immediately audit their WordPress installations to identify the presence of the Bold Page Builder plugin and verify its version. Until an official patch is released, organizations should restrict contributor-level access strictly to trusted users and implement multi-factor authentication to reduce the risk of account compromise. Employing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the 'data-text' parameter can provide temporary protection. Additionally, security teams should monitor logs for unusual contributor activity and conduct regular security awareness training to prevent credential theft. Organizations should also consider disabling or removing the Bold Page Builder plugin if it is not essential. Once a patch becomes available, prompt application of updates is critical. Implementing Content Security Policy (CSP) headers can further mitigate the impact of XSS by restricting script execution sources.