CVE-2025-5286: 
WordPress vulnerability analysis and mitigation

The Bold Page Builder plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in versions up to and including 5.3.6, discovered and disclosed on May 29, 2025. The vulnerability exists in the 'additional_settings' parameter due to insufficient input sanitization and output escaping (NVD, Wiz).

The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting). It has received a CVSS v3.1 Base Score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N, indicating network accessibility with low attack complexity and required privileges (NVD, Rapid7).

The vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page, potentially leading to theft of sensitive information or manipulation of page content (Wiz).

The vulnerability has been patched in version 5.3.7 of the Bold Page Builder plugin. Users are advised to update to this version immediately. The update includes security improvements and enhanced input validation (WordPress Plugin).