The vulnerability's details are outlined below. Please note that this issue was discovered and responsibly reported to us by andrea bocchetti. Any credit for the discovery of the vulnerability should be granted to them.

Vulnerability Title: Post and Page Builder by BoldGrid – Visual Drag and Drop Editor <= 1.26.4 - Authenticated (Contributer+) Stored Cross-Site Scripting
CVE ID: CVE-2024-4400
CVSS Severity Score: 6.4 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Organization: Wordfence
Vulnerability Researcher(s): andrea bocchetti
Software Link: https://wordpress.org/plugins/post-and-page-builder

Description
The Post and Page Builder by BoldGrid – Visual Drag and Drop Editor plguin for WordPress is vulnerable to Stored Cross-Site Scripting via an unknown parameter in versions up to, and including, 1.26.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Proof of Concept

1. Install the Plugin Post and Page Builder
2. Login as Author and go to the dashboard profile
3. Create a new article
4. Click on the Add Block button
5. Select a random template from the list ( you have to connect the plugin using a key after the registration)
6. An example of content with xss is the following:

<div class="row wow fadeInRight" data-wow-duration="1.5s" data-wow-delay="0s" style="padding-bottom: 25px;">
<div class="col-md-6 col-sm-6 col-xs-12 col-lg-6">
<div class="row" style="padding: 1em;">
<div class="col-md-2 col-sm-3 col-xs-3 bg-box-cover text-right col-lg-2"><i class="fa fa-quote-left color3-background-color color-3-text-contrast bg-background-color" style="font-size: 20px; border-radius: 50px; padding: 0.7em;" aria-hidden="true"><span style="display: none;">&nbsp;</span></i></div>
<div class="col-md-10 col-sm-9 col-xs-9 col-lg-10">
<p class="">Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nullam eu dignissim tortor, sit amet bibendum lacus. Lorem ipsum dolor sit amet, consectetur adipiscing elit.</p>
<p class="">Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nullam eu dignissim tortor, sit amet bibendum lacus. Lorem ipsum dolor sit amet, consectetur adipiscing elit.</p>
<p class="h4 color3-color">Christine Todd</p>

</div>
</div>
</div>
<div class="col-md-6 col-sm-6 col-xs-12 col-lg-6">
<div class="row" style="padding: 1em;">
<div class="col-md-2 col-sm-3 col-xs-3 bg-box-cover text-right col-lg-2"><i class="fa fa-quote-left color3-background-color color-3-text-contrast bg-background-color" style="font-size: 20px; border-radius: 50px; padding: 0.7em;" aria-hidden="true"><span style="display: none;">&nbsp;</span></i></div>
<div class="col-md-10 col-sm-9 col-xs-9 col-lg-10">
<p class="">Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nullam eu dignissim tortor, sit amet bibendum lacus. Lorem ipsum dolor sit amet, consectetur adipiscing elit.</p>
<p class="">Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nullam eu dignissim tortor, sit amet bibendum lacus. Lorem ipsum dolor sit amet, consectetur adipiscing elit.</p>
<p class="h4 color3-color">Max Wong</p>

</div>
</div>
</div>
</div>
</div>
</div>
<div class="boldgrid-section">
<div class="container">
<div class="row">
<div class="col-lg-12 col-md-12 col-xs-12 col-sm-12">

&nbsp;

</div>
</div>
</div>
</div>

Any Known Public References
No known public reference

​Recommended Solution
We recommend using one of the built-in WordPress sanitization functions before saving user input data to the database. You can read more about the sanitization functions that WordPress has available at: https://developer.wordpress.org/apis/security/sanitizing/

We recommend using one of the built-in WordPress escaping functions before outputting user data. WordPress has a number of functions that can be used for different situations. You can read more about these functions at: https://developer.wordpress.org/apis/security/escaping/

As per our standard disclosure process, we may notify our customers and the general public about this vulnerability according to the timeline outlined here: https://www.wordfence.com/security/. We may confidentially notify interested parties both inside and outside our organization before the announcement date. To avoid an accelerated disclosure timeline, please acknowledge receipt of this report within 14 days.

You should be aware that other researchers may independently discover this vulnerability and announce it prematurely. You should also note that this vulnerability may be exploited in the wild already. For these reasons we encourage you to release a fix as soon as possible to help protect your customers.