Skip to main content

Brainstorm Force Ultimate Addons CVE-2026-34889

| EUVDEUVD-2026-17845 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-01 audit@patchstack.com
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
3.21.4
EUVD ID Assigned
Apr 01, 2026 - 09:22 euvd
EUVD-2026-17845
Analysis Generated
Apr 01, 2026 - 09:22 vuln.today
CVE Published
Apr 01, 2026 - 09:16 nvd
MEDIUM 6.5

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brainstorm Force Ultimate Addons for WPBakery Page Builder allows DOM-Based XSS.This issue affects Ultimate Addons for WPBakery Page Builder: from n/a before 3.21.4.

AnalysisAI

DOM-based cross-site scripting (XSS) in Ultimate Addons for WPBakery Page Builder versions before 3.21.4 allows authenticated attackers with low privileges to inject malicious scripts that execute in other users' browsers with user interaction. The vulnerability affects WordPress sites using this plugin and could enable session hijacking, credential theft, or malware distribution through page builder interfaces.

Technical ContextAI

The vulnerability is a DOM-based XSS flaw (CWE-79: Improper Neutralization of Input During Web Page Generation) in the Ultimate Addons for WPBakery Page Builder WordPress plugin. WPBakery is a visual page builder that allows users to design pages through a drag-and-drop interface. The plugin extends WPBakery with additional UI components and addons. DOM-based XSS occurs when client-side JavaScript code processes user input unsafely, directly writing it to the DOM without proper sanitization or encoding. In this case, the plugin's frontend or editor interface fails to neutralize user-supplied input before rendering it in the page's HTML structure, allowing an attacker with plugin access to craft malicious payloads that execute in the context of other authenticated users' browsers.

RemediationAI

Vendor-released patch: Ultimate Addons for WPBakery Page Builder 3.21.4 and later. WordPress administrators should immediately update the plugin to version 3.21.4 or above through the WordPress dashboard (Plugins > Installed Plugins > Update). For sites unable to immediately update, implement access controls to restrict WPBakery editor access to trusted administrators only, limiting exposure to low-privilege authenticated accounts. The plugin update can be deployed automatically via WordPress's automatic update feature if enabled. Additional details and verification of the fix are available at the Patchstack advisory referenced above.

Share

CVE-2026-34889 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy