Bold Page Builder Vulnerability- Authenticated (Contributor+) Stored Cross-Site Scripting via Icon Link – CVE-2024-1160 |WordPress Plugin Vulnerability Report

Plugin Name: Bold Page Builder

Key Information:

  • Software Type: Plugin
  • Software Slug: bold-page-builder
  • Software Status: Active
  • Software Author: boldthemes
  • Software Downloads: 1,662,907
  • Active Installs: 50,000
  • Last Updated: February 27, 2024
  • Patched Versions: 4.8.1
  • Affected Versions: <= 4.8.0

Vulnerability Details:

  • Name: Bold Page Builder <= 4.8.0
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting via Icon Link
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-1160
  • CVSS Score: 5.4
  • Publicly Published: February 12, 2024
  • Researcher: wesley
  • Description: The Bold Page Builder plugin for WordPress contains a vulnerability in versions up to and including 4.8.0, which allows authenticated users with contributor-level permissions or higher to execute Stored Cross-Site Scripting (XSS) attacks through the plugin's Icon Link. This is due to inadequate input sanitization and output escaping, which enables the injection of arbitrary web scripts into pages that execute when a user views the page.


The Bold Page Builder for WordPress has a critical vulnerability in versions up to and including 4.8.0, allowing attackers to perform Stored Cross-Site Scripting (XSS) attacks via the Icon Link feature. This vulnerability has been resolved in version 4.8.1.

Detailed Overview:

This vulnerability was identified by the researcher wesley, highlighting a significant flaw in the plugin's security measures related to insufficient input sanitization and output escaping. The XSS vulnerability presents a substantial risk, as it could allow attackers to steal sensitive information, hijack user sessions, or redirect users to malicious sites. The patched version 4.8.1 addresses these concerns by implementing enhanced security protocols to prevent similar attacks.

Advice for Users:

  • Immediate Action: It is crucial for all users of the Bold Page Builder plugin to update to the patched version 4.8.1 immediately to safeguard their sites from potential exploits.
  • Check for Signs of Vulnerability: Users should review their site for unexpected or suspicious scripts and verify that only trusted individuals have contributor-level access or higher.
  • Alternate Plugins: While the patched version is deemed secure, users may consider exploring alternative page builder plugins to ensure the utmost security.
  • Stay Updated: Consistently updating all WordPress plugins and themes is essential in maintaining a secure online presence and preventing vulnerabilities.


The rapid response from the developers of Bold Page Builder to rectify this vulnerability underscores the critical nature of maintaining up-to-date software on your WordPress site. By upgrading to version 4.8.1, users can secure their installations against this specific vulnerability. Staying vigilant and proactive in updating software components is paramount in safeguarding your website from potential security threats.


In today's digital landscape, the security of a website is paramount for businesses of all sizes, especially small enterprises that often operate with limited resources. The recent discovery of a vulnerability in the Bold Page Builder, a popular WordPress plugin, serves as a critical reminder of the constant vigilance required to safeguard online assets against emerging threats. This plugin, known for its versatility in enhancing website functionality and aesthetics, has been compromised, posing significant risks to unsuspecting users and site owners.

Bold Page Builder: An Overview

The Bold Page Builder plugin, developed by BoldThemes, is a staple in the WordPress community, with over 50,000 active installations and more than 1.6 million downloads. Its ease of use and rich feature set have made it a go-to choice for crafting engaging and visually appealing websites. However, the plugin's widespread popularity also makes it a target for malicious actors seeking to exploit vulnerabilities.

The Vulnerability Exposed

A concerning flaw was uncovered in versions up to and including 4.8.0 of the Bold Page Builder, identified as CVE-2024-1160. This vulnerability allows authenticated users with contributor-level permissions or higher to execute Stored Cross-Site Scripting (XSS) attacks via the plugin's Icon Link feature. The issue stems from insufficient input sanitization and output escaping, enabling attackers to inject arbitrary web scripts that are executed when a user accesses an affected page.

Risks and Potential Impacts

The implications of this vulnerability are far-reaching. Stored XSS attacks can lead to the theft of sensitive information, session hijacking, and the redirection of users to malicious sites, compromising both site integrity and user trust. For small businesses, the repercussions can be particularly severe, potentially leading to reputational damage, loss of customer trust, and financial repercussions.

Remediation and Proactive Measures

In response to this discovery, the developers released a patched version, 4.8.1, to address the vulnerability. Users of the plugin are strongly urged to update to this latest version immediately to mitigate the risks. Additionally, site owners should conduct regular audits of their site for unexpected scripts and ensure that only trusted individuals have elevated access. Exploring alternative plugins with similar functionalities might also be a prudent step for those seeking added peace of mind.

Historical Context and the Importance of Vigilance

This is not the first time vulnerabilities have been identified in the Bold Page Builder, with six previous incidents since August 2019. This pattern highlights the critical importance of staying informed about potential security issues and the need for timely updates. For small business owners, who often juggle numerous responsibilities, understanding the nuances of web security can be daunting. However, the security of a digital platform should never be compromised.


The rapid resolution of this issue by the plugin developers is commendable, yet it underscores a broader necessity: the need for constant vigilance in the digital arena. For small business owners, the task of maintaining a secure website amidst a myriad of other responsibilities can seem overwhelming. However, the security of your digital presence is integral to your business's success and reputation. Leveraging resources like security blogs, automated update features, and professional cybersecurity services can help ease the burden and ensure that your site remains a safe and reliable platform for your audience. In the digital age, staying ahead of security vulnerabilities is not just a technical necessity but a fundamental business practice.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Bold Page Builder Vulnerability- Authenticated (Contributor+) Stored Cross-Site Scripting via Icon Link – CVE-2024-1160 |WordPress Plugin Vulnerability Report FAQs

Leave a Comment