CVE-2025-0859
📋 TL;DR
This vulnerability in the BoldGrid Post and Page Builder WordPress plugin allows authenticated attackers with Contributor-level access or higher to perform path traversal attacks via the template_via_url() function. This enables reading arbitrary files on the server, potentially exposing sensitive information like configuration files, credentials, or source code. All WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- Post and Page Builder by BoldGrid – Visual Drag and Drop Editor for WordPress
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain access to sensitive files like wp-config.php containing database credentials, server configuration files, or other sensitive data, leading to complete site compromise, data theft, or lateral movement within the server environment.
Likely Case
Attackers with contributor accounts exfiltrate sensitive configuration files, potentially obtaining database credentials, API keys, or other secrets that could lead to further exploitation.
If Mitigated
With proper access controls and file permissions, attackers can only read files accessible to the web server user, limiting exposure to non-sensitive files.
🎯 Exploit Status
Exploitation requires authenticated access (Contributor role or higher). The vulnerability is well-documented with public proof-of-concept available in the GitHub commit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.27.7
Vendor Advisory: https://wordpress.org/plugins/post-and-page-builder/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Post and Page Builder by BoldGrid'. 4. Click 'Update Now' if available, or manually update to version 1.27.7 or higher. 5. Verify the update completed successfully.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily disable the Post and Page Builder plugin until patched
wp plugin deactivate post-and-page-builder
Restrict user roles
allRemove Contributor and higher roles from untrusted users
wp user list --role=contributor --field=ID
wp user set-role <user_id> subscriber
🧯 If You Can't Patch
- Implement strict file system permissions to limit web server user access to sensitive directories
- Deploy web application firewall (WAF) rules to detect and block path traversal attempts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'Post and Page Builder by BoldGrid' version 1.27.6 or lowerCheck Version:
wp plugin get post-and-page-builder --field=versionVerify Fix Applied:
Verify plugin version is 1.27.7 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /wp-admin/admin-ajax.php with action=boldgrid_editor_preview_template_via_url containing file path traversal patterns (../)
- Unusual file read attempts from web server user
Network Indicators:
- POST requests to admin-ajax.php with template_via_url parameters containing path traversal sequences
SIEM Query:
source="web_access.log" AND uri="/wp-admin/admin-ajax.php" AND post_data="*template_via_url*" AND (post_data="*../*" OR post_data="*..\\*" OR post_data="*%2e%2e%2f*")🔗 References
- https://github.com/BoldGrid/post-and-page-builder/pull/638/commits/10e4d1d96fd2735379049259d15896fa6dd35471
- https://plugins.trac.wordpress.org/browser/post-and-page-builder/trunk/includes/class-boldgrid-editor-preview.php#L178
- https://plugins.trac.wordpress.org/changeset?old=3234175&old_path=post-and-page-builder%2Ftags%2F1.27.7%2Fincludes%2Fclass-boldgrid-editor-preview.php&new=3234175&new_path=post-and-page-builder%2Ftags%2F1.27.7%2Fincludes%2Fclass-boldgrid-editor-preview.php
- https://wordpress.org/plugins/post-and-page-builder/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/111a1e7f-bc87-4130-a0b2-422d0f98afb6?source=cve
