Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Subscriber-level authentication required (PR:L); nonce trivially obtained from public pages (AC:L); impact confined to CSS and font integrity with no confidentiality or availability consequence.
Primary rating from Vendor (Wordfence).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionNVD
The Themify Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 7.7.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to overwrite or delete the generated CSS stylesheet file of arbitrary posts, including private and draft posts owned by other users, and modify plugin-scoped font options. The required CSRF nonce (tf_nonce) is emitted on public front-end builder pages via wp_localize_script, making it trivially obtainable by any authenticated user visiting such a page.
AnalysisAI
Authorization bypass in the Themify Builder WordPress plugin (all versions through 7.7.7) permits any authenticated subscriber-level user to overwrite or delete CSS stylesheet files for arbitrary posts - including private and draft posts owned by other users - and modify plugin-scoped font options site-wide. The CSRF nonce (tf_nonce) nominally required to gate these actions is broadcast to every authenticated user visiting any public front-end builder page via wp_localize_script, making it trivially collectible and rendering it ineffective as a security control. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires at minimum a valid subscriber-level authenticated session on the target WordPress site - unauthenticated exploitation is not possible, confirmed by CVSS PR:L. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.1 score of 4.3 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N accurately reflects the bounded impact: no confidentiality or availability consequence, integrity impact limited to CSS stylesheets and font settings, and a low-privilege authentication requirement that excludes unauthenticated exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a free subscriber account on a target WordPress site running Themify Builder 7.7.7 or earlier, then visits any publicly accessible front-end builder page and extracts the tf_nonce value injected by wp_localize_script into the page JavaScript. Using that nonce, the attacker issues crafted HTTP POST requests to the plugin's stylesheet endpoints, deleting or overwriting CSS files for private draft posts authored by other users or altering site-wide font settings, causing visual defacement without triggering any capability check. … |
| Remediation | An upstream fix has been committed to the Themify Builder plugin repository, as evidenced by the changeset at https://plugins.trac.wordpress.org/changeset?reponame=&old=3607906%40themify-builder&new=3607906%40themify-builder; however, the specific patched release version number is not independently confirmed from available data - administrators should update to the latest available version from the WordPress plugin repository and verify the installed version exceeds 7.7.7. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Themify Builder
View allReflected cross-site scripting in the Themify Builder WordPress plugin (versions up to and including 7.7.4) lets remote
Stored XSS in the Themify Builder WordPress plugin (all versions through 7.7.6) allows contributor-level authenticated u
Stored Cross-Site Scripting in the Themify Builder WordPress plugin (all versions through 7.7.6) enables authenticated a
The Themify Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44891