CVE-2025-7730 is a stored Cross-Site Scripting vulnerability identified in the Bold Page Builder plugin for WordPress, affecting all versions up to and including 5.4.5. The root cause is improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of the 'percentage' parameter. This flaw allows authenticated users with Contributor-level privileges or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the malicious scripts execute in their browsers, potentially enabling session hijacking, theft of sensitive information, or unauthorized actions within the context of the victim's session. The vulnerability is classified under CWE-79 and has a CVSS 3.1 base score of 6.4, reflecting medium severity. The attack vector is network-based with low attack complexity, requiring privileges but no user interaction, and the impact affects confidentiality and integrity with no availability impact. Although no exploits are currently known in the wild, the vulnerability poses a significant risk to WordPress sites using this plugin, especially those with multiple contributors managing content. The lack of a patch at the time of disclosure necessitates immediate mitigation efforts to reduce exposure. The vulnerability's scope is limited to environments where the plugin is installed and used, but given WordPress's popularity, the potential attack surface is substantial.

For European organizations, this vulnerability can lead to unauthorized script execution within their WordPress sites, compromising user sessions and potentially exposing sensitive data such as authentication tokens or personal information. This can result in reputational damage, loss of customer trust, and regulatory non-compliance under GDPR if personal data is compromised. The ability for contributors to inject scripts means insider threats or compromised contributor accounts can be leveraged to escalate attacks. Websites that serve as customer portals, e-commerce platforms, or internal communication tools are particularly at risk. The integrity of web content can be undermined, leading to misinformation or defacement. Although availability is not directly impacted, the indirect effects of a successful attack could include service disruptions due to incident response or remediation activities. European organizations with extensive WordPress deployments and collaborative content management workflows face elevated risk, especially if they have not implemented strict access controls or monitoring.

1. Monitor for and apply official patches or updates from BoldThemes as soon as they become available to remediate the vulnerability. 2. Until a patch is released, restrict Contributor-level and higher permissions to trusted users only, minimizing the risk of malicious script injection. 3. Implement a Web Application Firewall (WAF) with robust XSS detection and blocking capabilities to intercept malicious payloads targeting the 'percentage' parameter. 4. Conduct regular security audits of WordPress plugins and user permissions to identify and remediate excessive privileges or suspicious activities. 5. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected web pages. 6. Educate content contributors about the risks of injecting untrusted content and enforce input validation policies. 7. Use security plugins that provide real-time monitoring and alerting for suspicious changes in page content. 8. Maintain comprehensive backups of WordPress sites to enable rapid restoration in case of compromise.