Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brainstorm Force Ultimate Addons for WPBakery Page Builder allows DOM-Based XSS.This issue affects Ultimate Addons for WPBakery Page Builder: from n/a before 3.21.4.
AnalysisAI
DOM-based cross-site scripting (XSS) in Ultimate Addons for WPBakery Page Builder versions before 3.21.4 allows authenticated attackers with low privileges to inject malicious scripts that execute in other users' browsers with user interaction. The vulnerability affects WordPress sites using this plugin and could enable session hijacking, credential theft, or malware distribution through page builder interfaces.
Technical ContextAI
The vulnerability is a DOM-based XSS flaw (CWE-79: Improper Neutralization of Input During Web Page Generation) in the Ultimate Addons for WPBakery Page Builder WordPress plugin. WPBakery is a visual page builder that allows users to design pages through a drag-and-drop interface. The plugin extends WPBakery with additional UI components and addons. DOM-based XSS occurs when client-side JavaScript code processes user input unsafely, directly writing it to the DOM without proper sanitization or encoding. In this case, the plugin's frontend or editor interface fails to neutralize user-supplied input before rendering it in the page's HTML structure, allowing an attacker with plugin access to craft malicious payloads that execute in the context of other authenticated users' browsers.
RemediationAI
Vendor-released patch: Ultimate Addons for WPBakery Page Builder 3.21.4 and later. WordPress administrators should immediately update the plugin to version 3.21.4 or above through the WordPress dashboard (Plugins > Installed Plugins > Update). For sites unable to immediately update, implement access controls to restrict WPBakery editor access to trusted administrators only, limiting exposure to low-privilege authenticated accounts. The plugin update can be deployed automatically via WordPress's automatic update feature if enabled. Additional details and verification of the fix are available at the Patchstack advisory referenced above.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17845