Skip to main content

Themify Builder CVE-2026-15407

| EUVDEUVD-2026-44891 MEDIUM
Missing Authorization (CWE-862)
2026-07-16 Wordfence
4.3
CVSS 3.1 · NVD
Share

Severity by source

Vendor (Wordfence) PRIMARY
MEDIUM
qualitative
NVD
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
4.3 MEDIUM

Subscriber-level authentication required (PR:L); nonce trivially obtained from public pages (AC:L); impact confined to CSS and font integrity with no confidentiality or availability consequence.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 16, 2026 - 09:06 vuln.today
CVE Published
Jul 16, 2026 - 07:51 cve.org
MEDIUM 4.3

DescriptionNVD

The Themify Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 7.7.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to overwrite or delete the generated CSS stylesheet file of arbitrary posts, including private and draft posts owned by other users, and modify plugin-scoped font options. The required CSRF nonce (tf_nonce) is emitted on public front-end builder pages via wp_localize_script, making it trivially obtainable by any authenticated user visiting such a page.

AnalysisAI

Authorization bypass in the Themify Builder WordPress plugin (all versions through 7.7.7) permits any authenticated subscriber-level user to overwrite or delete CSS stylesheet files for arbitrary posts - including private and draft posts owned by other users - and modify plugin-scoped font options site-wide. The CSRF nonce (tf_nonce) nominally required to gate these actions is broadcast to every authenticated user visiting any public front-end builder page via wp_localize_script, making it trivially collectible and rendering it ineffective as a security control. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register subscriber-level account
Delivery
Visit public builder page to harvest tf_nonce
Exploit
Craft authorization-bypass POST request
Execution
Overwrite or delete target post CSS stylesheet
Impact
Modify plugin font options for site-wide visual impact

Vulnerability AssessmentAI

Exploitation Exploitation requires at minimum a valid subscriber-level authenticated session on the target WordPress site - unauthenticated exploitation is not possible, confirmed by CVSS PR:L. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 3.1 score of 4.3 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N accurately reflects the bounded impact: no confidentiality or availability consequence, integrity impact limited to CSS stylesheets and font settings, and a low-privilege authentication requirement that excludes unauthenticated exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free subscriber account on a target WordPress site running Themify Builder 7.7.7 or earlier, then visits any publicly accessible front-end builder page and extracts the tf_nonce value injected by wp_localize_script into the page JavaScript. Using that nonce, the attacker issues crafted HTTP POST requests to the plugin's stylesheet endpoints, deleting or overwriting CSS files for private draft posts authored by other users or altering site-wide font settings, causing visual defacement without triggering any capability check. …
Remediation An upstream fix has been committed to the Themify Builder plugin repository, as evidenced by the changeset at https://plugins.trac.wordpress.org/changeset?reponame=&old=3607906%40themify-builder&new=3607906%40themify-builder; however, the specific patched release version number is not independently confirmed from available data - administrators should update to the latest available version from the WordPress plugin repository and verify the installed version exceeds 7.7.7. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-15407 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy