Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Network-accessible WordPress endpoint, low complexity, contributor auth required (PR:L), scope changes to victim browser; no availability impact from stored XSS.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Themify Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'height_slider' Slider Module Field in all versions up to, and including, 7.7.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Stored XSS in the Themify Builder WordPress plugin (all versions through 7.7.6) allows contributor-level authenticated users to inject persistent JavaScript via the 'height_slider' Slider Module field, which executes in the browser of any visitor who loads an injected page. The scope change (S:C in CVSS) captures the cross-context impact: attacker payload runs in victims' sessions, enabling session hijacking, credential theft, or unauthorized admin actions. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress session with contributor-level privileges or higher (editor, administrator). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 6.4 score (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) reflects the meaningful but bounded nature of this flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has registered or compromised a contributor-level WordPress account on a site running Themify Builder ≤7.7.6 creates or edits a page containing a Slider module and injects a JavaScript payload (e.g., a cookie-stealing script) into the height_slider field. The payload is stored in the database and silently executes in the browser of every visitor - including administrators - who subsequently loads that page, allowing the attacker to harvest session tokens without any further interaction. |
| Remediation | Update the Themify Builder plugin to a version beyond 7.7.6 immediately. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Themify Builder
View allReflected cross-site scripting in the Themify Builder WordPress plugin (versions up to and including 7.7.4) lets remote
Stored Cross-Site Scripting in the Themify Builder WordPress plugin (all versions through 7.7.6) enables authenticated a
Authorization bypass in the Themify Builder WordPress plugin (all versions through 7.7.7) permits any authenticated subs
The Themify Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43132
GHSA-r6f8-v3hv-xx2m