CVE-2026-3694 Overview
CVE-2026-3694 is a stored Cross-Site Scripting (XSS) vulnerability in the Bold Page Builder plugin for WordPress. The flaw affects all versions up to and including 5.6.8. The issue resides in the text attribute of the bt_bb_button shortcode, where the plugin fails to properly sanitize input and escape output for user-supplied attributes.
Authenticated attackers with contributor-level access or higher can inject arbitrary JavaScript into pages. The payload executes in the browser of any user who views the affected page, including administrators. The vulnerability is classified as Improper Neutralization of Input During Web Page Generation [CWE-79].
Critical Impact
A contributor-level account can inject persistent JavaScript that executes against any visitor, enabling session theft, administrative action forgery, and full site compromise when an administrator views the page.
Affected Products
- Bold Page Builder plugin for WordPress, all versions up to and including 5.6.8
- WordPress sites that allow contributor-level or higher user registration
- Patched in the changeset published at revision 3479329
Discovery Timeline
- 2026-05-14 - CVE-2026-3694 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-3694
Vulnerability Analysis
The Bold Page Builder plugin processes a custom shortcode named bt_bb_button. This shortcode accepts a text attribute that determines the visible label of the rendered button. The plugin inserts the attribute value into the page HTML without applying adequate sanitization on input or escaping on output.
An authenticated user with contributor permissions can save a post or page containing the shortcode with a malicious text attribute. Because WordPress contributors can create draft content, and the resulting shortcode is rendered in the page context, the injected script becomes a stored payload tied to that content.
When an editor, administrator, or visitor opens the page for preview or viewing, the browser executes the script in the site origin. This grants the attacker access to session cookies, authentication state, and the WordPress REST API under the victim's privileges.
Root Cause
The root cause is missing input sanitization and missing output escaping on the shortcode attribute. Functions such as sanitize_text_field() on input or esc_html() and esc_attr() on output were not applied to the text parameter before it was concatenated into the rendered HTML. The fix in changeset 3479329 introduces the appropriate escaping routines.
Attack Vector
The attack vector is network-based and requires low-privilege authentication. An attacker registers or compromises a contributor account, then creates a post containing the bt_bb_button shortcode with JavaScript in the text attribute. The payload triggers when any authenticated reviewer or visitor renders the page. The scope is changed because script execution occurs in the browser context of users distinct from the attacker.
No verified public exploit code is available. Refer to the Wordfence Vulnerability Report for additional technical context.
Detection Methods for CVE-2026-3694
Indicators of Compromise
- Posts or pages in wp_posts containing bt_bb_button shortcodes with text attribute values that include <script>, onerror=, onload=, or javascript: tokens
- Outbound requests from administrator browsers to unfamiliar domains immediately after viewing pages authored by contributors
- Unexpected new administrator accounts or modifications to user roles following content review activity
Detection Strategies
- Query the WordPress database for shortcode attribute values containing HTML tags or JavaScript event handlers, focusing on the post_content column
- Inspect web server access logs for requests by contributor accounts that publish content with the bt_bb_button shortcode
- Deploy a Content Security Policy (CSP) in report-only mode to surface inline script execution originating from rendered post content
Monitoring Recommendations
- Alert on creation or modification of WordPress users with the contributor role, especially from unfamiliar IP addresses
- Monitor administrative session activity for REST API calls that occur shortly after preview or edit actions on contributor-authored posts
- Track plugin version inventory across WordPress estates to identify hosts still running Bold Page Builder 5.6.8 or earlier
How to Mitigate CVE-2026-3694
Immediate Actions Required
- Update the Bold Page Builder plugin to the version released in changeset 3479329 or later on every affected WordPress site
- Audit all contributor and author accounts, revoking access for accounts that are unused, unrecognized, or no longer required
- Review existing posts and pages for bt_bb_button shortcodes containing suspicious text attribute values and remove malicious content
Patch Information
The vendor addressed the vulnerability by adding proper escaping to the text attribute of the bt_bb_button shortcode. The fix is recorded in the WordPress Change Log Entry. Site administrators should apply the update through the WordPress plugin manager or by replacing the plugin files directly from the official repository.
Workarounds
- Restrict contributor-level account creation and require manual approval for new user registrations until the plugin is updated
- Temporarily deactivate the Bold Page Builder plugin on sites that cannot immediately apply the patch
- Enforce a strict Content Security Policy that disallows inline scripts to reduce the impact of stored XSS payloads
# Configuration example: update Bold Page Builder via WP-CLI
wp plugin update bold-page-builder --version=latest
wp plugin list --name=bold-page-builder --fields=name,status,version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
