CVE-2024-1159: 
WordPress vulnerability analysis and mitigation

The Bold Page Builder plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-1159) in versions up to and including 4.8.0. The vulnerability was discovered and disclosed on February 13, 2024, affecting the plugin's shortcode functionality (Wordfence Advisory).

The vulnerability stems from insufficient input sanitization and output escaping on user-supplied attributes in the plugin's shortcode functionality. The issue has been assigned a CVSS v3.1 base score of 5.4 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N by NIST, while Wordfence assigned a score of 6.4 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows authenticated attackers with contributor-level permissions or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page (NVD).

Website administrators are advised to update the Bold Page Builder plugin to version 4.8.1 or later, which contains the security fix for this vulnerability (WordPress Patch).