CVE-2025-12803: Bold Page Builder WordPress XSS Flaw

CVE-2025-12803 Overview

CVE-2025-12803 is a Stored Cross-Site Scripting (XSS) vulnerability in the Bold Page Builder plugin for WordPress. The flaw affects all plugin versions up to and including 5.5.1. The issue exists in the bt_bb_tabs shortcode, which fails to sanitize and escape user-supplied attributes. Authenticated users with contributor-level access or higher can inject arbitrary JavaScript into pages. The injected scripts execute in the browser of any visitor who views the affected page. The vulnerability is tracked under CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page.

Critical Impact

Authenticated contributors can persist arbitrary JavaScript in published pages, enabling session theft, redirection, and administrative account takeover when an administrator views the affected content.

Affected Products

• Bold Page Builder plugin for WordPress, all versions up to and including 5.5.1
• WordPress sites with contributor-level or higher user roles enabled
• Pages and posts rendering the bt_bb_tabs shortcode

Discovery Timeline

• 2026-02-07 - CVE-2025-12803 published to NVD
• 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-12803

Vulnerability Analysis

The Bold Page Builder plugin registers the bt_bb_tabs shortcode to render tabbed content layouts. The shortcode handler accepts user-supplied attributes and writes them into the rendered HTML output. The plugin does not apply WordPress escaping functions such as esc_attr() or esc_html() to these attributes before output. As a result, attribute values containing HTML or JavaScript payloads are interpreted by the browser as active markup.

An attacker with contributor permissions can create a draft post containing the bt_bb_tabs shortcode with a malicious attribute payload. Once the draft is reviewed or published and rendered, the script executes in the context of the site's origin. The Wordfence advisory documents the vulnerable code path at line 65 of bt_bb_tabs.php. Refer to the WordPress Plugin Source Code for the affected function.

Root Cause

The root cause is insufficient input sanitization and missing output escaping on shortcode attributes processed by the bt_bb_tabs handler. The plugin concatenates attribute values directly into HTML without neutralizing script-related characters. This violates secure WordPress development practices, which require contextual escaping at the point of output.

Attack Vector

The attack requires network access and an authenticated account with at least contributor privileges. An attacker submits content containing the bt_bb_tabs shortcode with a crafted attribute value carrying a JavaScript payload. When any user, including administrators, loads the affected page, the browser executes the injected script under the site's origin. This can be used to steal authenticated session cookies, perform actions on behalf of the victim, or pivot to administrative account compromise. See the Wordfence Vulnerability Report for additional context.

No verified exploitation code is publicly available.
Refer to the Wordfence advisory and plugin source code for technical details.

Detection Methods for CVE-2025-12803

Indicators of Compromise

• Posts or pages containing bt_bb_tabs shortcode attributes with <script>, onerror, onload, or javascript: substrings
• Unexpected outbound requests from administrator browsers to attacker-controlled domains after viewing plugin-rendered pages
• New or modified WordPress administrator accounts created shortly after a contributor publishes or edits content
• Database entries in wp_posts where post_content contains shortcode attributes with encoded HTML or script payloads

Detection Strategies

• Audit the wp_posts table for bt_bb_tabs shortcode usage and inspect attribute values for script-related tokens
• Deploy a web application firewall rule that inspects POST requests to wp-admin/post.php and admin-ajax.php for malicious shortcode payloads
• Monitor WordPress access logs for contributor accounts submitting content containing HTML event handlers within shortcode attributes

Monitoring Recommendations

• Enable WordPress activity logging to track content creation and edits by contributor and author roles
• Alert on Content Security Policy (CSP) violations originating from pages that render the Bold Page Builder shortcodes
• Review newly registered or recently elevated user accounts on a recurring schedule

How to Mitigate CVE-2025-12803

Immediate Actions Required

• Update the Bold Page Builder plugin to a version later than 5.5.1 once the vendor publishes a patched release
• Audit all existing posts and pages for malicious bt_bb_tabs shortcode attributes and remove injected payloads
• Review the contributor, author, and editor user lists and remove or reduce privileges for unverified accounts
• Rotate administrator passwords and invalidate active sessions if injected scripts may have executed

Patch Information

At the time of publication, the vendor advisory referenced by the Wordfence Vulnerability Report indicates all versions through 5.5.1 are affected. Administrators should monitor the plugin changelog and apply the fixed version as soon as it is released.

Workarounds

• Restrict content publishing to trusted users by removing contributor and author roles from untrusted accounts
• Deploy a web application firewall rule blocking shortcode attribute values containing <script, onerror=, or javascript: tokens
• Implement a strict Content Security Policy that disallows inline scripts on pages rendered by the plugin
• Temporarily disable the Bold Page Builder plugin if it is not in active use until a patched version is available

# Example WordPress CLI commands to audit affected content
wp post list --post_type=page,post --format=csv --fields=ID,post_title,post_status \
  | xargs -I {} wp post get {} --field=post_content \
  | grep -E 'bt_bb_tabs.*(<script|onerror=|javascript:)'

# List users with contributor or higher capability
wp user list --role=contributor,author,editor --fields=ID,user_login,user_email