CVE-2025-7730 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Bold Page Builder plugin for WordPress, a popular page-building tool used to create and manage website content. The vulnerability arises from improper neutralization of input during web page generation, specifically through the 'percentage' parameter. Versions up to and including 5.4.5 fail to adequately sanitize and escape this input, allowing authenticated users with Contributor-level access or higher to inject arbitrary JavaScript code into pages. Because the injected scripts are stored persistently, they execute in the context of any user who views the compromised page, potentially exposing sensitive information such as session cookies, enabling privilege escalation, or facilitating further attacks like phishing or malware distribution. The vulnerability requires authentication but no additional user interaction, and it affects all versions of the plugin up to 5.4.5. The CVSS v3.1 score of 6.4 reflects a medium severity, with a network attack vector, low attack complexity, and privileges required. No public exploits are known at this time, but the vulnerability's presence in a widely used WordPress plugin makes it a significant concern for website security. The lack of a currently available patch necessitates immediate attention to mitigate risk.

For European organizations, this vulnerability poses a risk to the confidentiality and integrity of web applications using the Bold Page Builder plugin. Exploitation can lead to unauthorized script execution, enabling attackers to hijack user sessions, steal credentials, or perform actions on behalf of legitimate users. This can result in data breaches, defacement of websites, loss of customer trust, and potential regulatory penalties under GDPR if personal data is compromised. The requirement for authenticated access limits exposure somewhat, but many organizations have contributors or editors with such privileges, increasing the attack surface. The vulnerability could be leveraged in targeted attacks against organizations with public-facing WordPress sites, including e-commerce, media, and government portals. The scope includes all affected versions, which may be widely deployed across European SMEs and enterprises relying on WordPress for content management. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers often develop exploits rapidly after disclosure.

Organizations should immediately audit their WordPress installations to identify the presence of the Bold Page Builder plugin and determine the version in use. Until an official patch is released, administrators should restrict Contributor-level access to trusted users only and consider temporarily disabling the plugin if feasible. Implementing Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting the 'percentage' parameter can provide interim protection. Additionally, applying manual input validation and output encoding in custom code or templates may reduce risk. Monitoring logs for unusual activity related to page edits or script injections is recommended. Once a patch becomes available, prompt updating of the plugin is critical. Educating content contributors about the risks of injecting untrusted content and enforcing the principle of least privilege will further reduce exposure. Regular backups and incident response plans should be reviewed to prepare for potential exploitation.