CVE-2025-7730 is a stored Cross-Site Scripting vulnerability identified in the Bold Page Builder plugin for WordPress, affecting all versions up to and including 5.4.5. The vulnerability stems from insufficient sanitization and escaping of the 'percentage' parameter during web page generation, classified under CWE-79. Authenticated attackers with Contributor-level or higher privileges can exploit this flaw by injecting arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing unauthorized actions on their behalf. The vulnerability does not require user interaction beyond visiting the infected page and has a CVSS 3.1 score of 6.4, reflecting medium severity. The attack vector is network-based with low attack complexity, requiring privileges but no user interaction. The scope is changed since the vulnerability can affect other users viewing the injected content. No patches or official fixes are currently linked, and no known exploits have been reported in the wild, but the risk remains significant due to the widespread use of WordPress and this plugin. The vulnerability highlights the importance of proper input validation and output encoding in web applications, especially in content management systems where multiple users contribute content.

The impact of CVE-2025-7730 includes potential compromise of user confidentiality and integrity on affected WordPress sites. Attackers with Contributor-level access can inject malicious scripts that execute in the context of other users, leading to session hijacking, theft of sensitive information, or unauthorized actions such as content modification or privilege escalation. While availability is not directly impacted, the trustworthiness and security posture of the affected websites can be severely undermined. Organizations relying on Bold Page Builder risk reputational damage, data breaches, and potential regulatory consequences if user data is exposed. The vulnerability's exploitation could facilitate further attacks within the network or against site administrators. Given the medium severity and the requirement for authenticated access, the threat is significant for sites with multiple contributors or less stringent access controls. The lack of known exploits in the wild reduces immediate risk but does not eliminate the potential for targeted attacks, especially in high-value environments.

To mitigate CVE-2025-7730, organizations should immediately restrict Contributor-level user permissions to trusted individuals and audit existing user roles for unnecessary privileges. Applying updates or patches from the vendor as soon as they become available is critical. In the absence of official patches, administrators can implement web application firewall (WAF) rules to detect and block suspicious payloads targeting the 'percentage' parameter. Employing Content Security Policy (CSP) headers can help limit the impact of injected scripts by restricting script execution sources. Regularly scanning the website for injected scripts or anomalous content changes can aid in early detection. Additionally, enforcing strict input validation and output encoding practices in custom code and plugins reduces the risk of similar vulnerabilities. Monitoring user activity logs for unusual behavior and educating contributors about secure content practices further strengthens defenses. Backup strategies should be reviewed to ensure rapid recovery from potential compromises.