{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12803", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-06T13:21:30.471Z", "datePublished": "2026-02-07T05:52:38.939Z", "dateUpdated": "2026-04-08T16:57:41.593Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:57:41.593Z"}, "affected": [{"vendor": "boldthemes", "product": "Bold Page Builder", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.5.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin 'bt_bb_tabs' shortcode in all versions up to, and including, 5.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Bold Builder <= 5.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via bt_bb_tabs Shortcode", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/64f30329-ecf2-4e30-bc23-9d447e239e08?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/bold-page-builder/tags/5.4.8/content_elements/bt_bb_tabs/bt_bb_tabs.php"}, {"url": "https://plugins.trac.wordpress.org/browser/bold-page-builder/tags/5.4.8/content_elements/bt_bb_tabs/bt_bb_tabs.php#L65"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)", "cweId": "CWE-80", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2026-02-06T17:29:33.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-09T15:19:09.465380Z", "id": "CVE-2025-12803", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-09T15:25:33.080Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12803", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-09T15:19:09.465380Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-09T15:19:10.376Z"}}], "cna": {"title": "Bold Builder <= 5.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via bt_bb_tabs Shortcode", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "boldthemes", "product": "Bold Page Builder", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "5.5.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-06T17:29:33.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/64f30329-ecf2-4e30-bc23-9d447e239e08?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/bold-page-builder/tags/5.4.8/content_elements/bt_bb_tabs/bt_bb_tabs.php"}, {"url": "https://plugins.trac.wordpress.org/browser/bold-page-builder/tags/5.4.8/content_elements/bt_bb_tabs/bt_bb_tabs.php#L65"}], "descriptions": [{"lang": "en", "value": "The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin 'bt_bb_tabs' shortcode in all versions up to, and including, 5.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-80", "description": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-02-07T05:52:38.939Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12803", "state": "PUBLISHED", "dateUpdated": "2026-02-09T15:25:33.080Z", "dateReserved": "2025-11-06T13:21:30.471Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-07T05:52:38.939Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin 'bt_bb_tabs' shortcode in all versions up to, and including, 5.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin Bold Page Builder para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del shortcode 'bt_bb_tabs' del plugin en todas las versiones hasta la 5.5.1, inclusive, debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes en los atributos proporcionados por el usuario. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2025-12803", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-07T06:16:03.520", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/bold-page-builder/tags/5.4.8/content_elements/bt_bb_tabs/bt_bb_tabs.php"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/bold-page-builder/tags/5.4.8/content_elements/bt_bb_tabs/bt_bb_tabs.php#L65"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/64f30329-ecf2-4e30-bc23-9d447e239e08?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-80"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T16:04:18.522990+00:00", "value": {"mitigation_remediation": ["Upgrade Bold Page Builder to version 5.5.2 or later, which removes the unsanitized shortcode usage", "Review and clean existing pages that contain the bt_bb_tabs shortcode, deleting or correcting any injected script fragments", "Re\u2011enforce the role hierarchy so that only trusted administrators can add or edit shortcode content; consider revoking Contributor access from non\u2011essential users", "Monitor web traffic for indicators of XSS execution, such as abnormal client\u2011side script activity or authentication cookie theft"], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting (XSS) via shortcode input"}, "threat_synthesis": {"affected_systems": "Bold Themes\u2019 Bold Page Builder plug\u2011in for WordPress, all released versions up to and including 5.5.1. Users running any of these versions are at risk, regardless of WordPress core version. The vulnerability is present in the bt_bb_tabs content element and is tied to the shortcode functionality.", "description_and_impact": "The Bold Page Builder plugin allows an authenticated user with contributor-level access or higher to embed malicious scripts through the bt_bb_tabs shortcode. User supplied attributes of the shortcode are not properly sanitized or escaped, letting the attacker store arbitrary JavaScript that later executes whenever anyone views the affected page. This stored XSS flaw is classified as CWE\u201180 and can be used to steal session cookies, deface content, or launch further attacks against site visitors. The impact is confined to the web page where the shortcode is used but can affect all users who load that page, compromising confidentiality, integrity, and potentially availability through denial\u2011of\u2011service actions carried out by the injected code.", "risk_and_exploitability": "The CVSS score of 6.4 labels this flaw as medium severity, and the EPSS score of less than 1\u202f% indicates a low probability that the vulnerability will be targeted in the near term. The attacker must be authenticated with contributor or higher privileges, so the attack vector is authenticated. Although not listed in the CISA KEV catalog, the flaw is exploitable in any site where contributors can insert or edit shortcode attributes. If a malicious contributor is present or a site\u2019s role permissions are mis\u2011configured, the stored scripts will run for every visitor, enabling widespread compromise."}}}}, "created": "2026-02-09T10:44:41.022759+00:00", "updated": "2026-04-21T16:15:40.495571+00:00", "vendors": ["bold-themes", "bold-themes$PRODUCT$bold_page_builder", "wordpress", "wordpress$PRODUCT$wordpress"]}