Skip to main content

Bricksforge CVE-2026-34888

| EUVDEUVD-2026-37671 HIGH
Insertion of Sensitive Information Into Sent Data (CWE-201)
2026-06-17 Patchstack
7.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network-reachable disclosure in a WordPress plugin yields AV:N/AC:L/PR:N/UI:N; pure information leak gives C:H, I:N, A:N with unchanged scope.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 12:25 vuln.today

DescriptionCVE.org

Unauthenticated Sensitive Data Exposure in Bricksforge <= 3.1.8.4 versions.

AnalysisAI

Unauthenticated sensitive data exposure in the Bricksforge WordPress plugin versions 3.1.8.4 and earlier allows remote attackers to retrieve confidential information without any credentials. The flaw, tracked under CWE-201 (Insertion of Sensitive Information Into Sent Data), carries a CVSS 3.1 score of 7.5 driven entirely by confidentiality impact, and no public exploit has been identified at time of analysis.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running Bricksforge
Delivery
Fingerprint plugin version ≤ 3.1.8.4
Exploit
Send unauthenticated request to vulnerable endpoint
Execution
Parse response for sensitive data
Impact
Exfiltrate disclosed information

Vulnerability AssessmentAI

Exploitation The target site must have the Bricksforge WordPress plugin installed and active at version 3.1.8.4 or earlier and reachable over the network on the standard WordPress HTTP(S) interface; no authentication, user interaction, or non-default configuration is required per the CVSS vector AV:N/AC:L/PR:N/UI:N. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N indicates a network-reachable, low-complexity, unauthenticated exploit with high confidentiality impact but no integrity or availability effect, which aligns with a pure information-disclosure class bug. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A remote attacker scans the public internet for WordPress installations exposing Bricksforge fingerprints, then issues an unauthenticated HTTP request to the vulnerable plugin endpoint and parses the response for sensitive values such as configuration data, internal identifiers, or PII handled by the plugin's form or dynamic-data features. No login, user interaction, or special tooling is required, and no public exploit code has been identified at time of analysis, though the low complexity makes independent rediscovery straightforward once the affected endpoint is known.
Remediation Upstream fix availability is implied by the '<= 3.1.8.4' phrasing in the Patchstack advisory but a released patched version is not independently confirmed in the provided data; site operators should consult the Patchstack record at https://patchstack.com/database/wordpress/plugin/bricksforge/vulnerability/wordpress-bricksforge-plugin-3-1-8-4-sensitive-data-exposure-vulnerability and upgrade to the next Bricksforge release above 3.1.8.4 as soon as the vendor publishes it. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Conduct a comprehensive audit of all WordPress installations to identify Bricksforge plugin presence and document current version numbers; inventory what sensitive data the plugin accesses (customer records, credentials, payment information, etc.). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-34888 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy