CVE-2025-0859: 
WordPress vulnerability analysis and mitigation

The Post and Page Builder by BoldGrid – Visual Drag and Drop Editor plugin for WordPress contains a Path Traversal vulnerability (CVE-2025-0859) in versions up to and including 1.27.6. The vulnerability was discovered in early 2025 and affects the template_via_url() function. This security issue allows authenticated attackers with Contributor-level access or higher to read arbitrary files on the server (Red Hat CVE).

The vulnerability exists in the template_via_url() function of the plugin, specifically within the class-boldgrid-editor-preview.php file. The issue allows path traversal attacks that can expose sensitive server files. The vulnerability has been assigned a CVSS v3.1 base score that indicates high severity for confidentiality impact while requiring authenticated access (GitHub Commit).

The vulnerability enables authenticated users with Contributor-level permissions or higher to read the contents of arbitrary files on the affected server. This could lead to exposure of sensitive information stored in server files (Red Hat CVE).

The vulnerability has been patched in version 1.27.7 of the Post and Page Builder plugin. Users are advised to update to this version immediately to protect against potential exploitation (GitHub Commit).