Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bricks Builder allows Reflected XSS.
This issue affects Bricks Builder: from n/a through 1.9.2 to 2.2.
AnalysisAI
Reflected cross-site scripting in Bricks Builder WordPress theme through version 1.9.2 to 2.2 enables remote attackers to execute malicious JavaScript in victim browsers by crafting URLs with unsanitized input that gets reflected into generated web pages without proper encoding. Exploitation requires victim interaction (clicking a malicious link) but no authentication, making phishing and social engineering viable delivery methods. EPSS and KEV data not available; no public exploit confirmed at time of analysis, though Patchstack disclosure suggests security researchers have demonstrated the vulnerability.
Technical ContextAI
Bricks Builder is a visual site builder theme for WordPress (CPE: cpe:2.3:a:bricks:bricks_builder). This vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), where user-supplied input from URL parameters or form fields is incorporated into dynamically generated HTML responses without proper sanitization or output encoding. Reflected XSS differs from stored XSS in that the malicious payload is not persisted server-side but instead bounced back from the server in the immediate response. The affected version range spans from unspecified early versions through 1.9.2 up to version 2.2, suggesting a longstanding input handling deficiency in the theme's rendering logic. WordPress themes with visual builders often process complex query parameters to render preview states or dynamic content, creating multiple potential injection points if input validation is insufficient.
RemediationAI
Upgrade Bricks Builder to the latest version available from the vendor that addresses CVE-2026-41554. Consult the Patchstack advisory at https://patchstack.com/database/wordpress/theme/bricks/vulnerability/wordpress-bricks-builder-theme-1-9-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve for patch confirmation and specific fixed version number, as the CVE data does not specify the exact patched release. Until patching is complete, implement compensating controls including Content Security Policy (CSP) headers with strict script-src directives to prevent inline JavaScript execution (note: may break legitimate theme functionality requiring inline scripts), Web Application Firewall (WAF) rules to detect and block XSS patterns in URL parameters and form submissions (trade-off: potential false positives requiring tuning), and user awareness training to recognize phishing attempts delivering malicious links. Restrict WordPress admin access to trusted networks via IP allowlisting or VPN if operationally feasible, reducing exposure surface for social engineering. Verify CSP implementation does not disable security protections through overly permissive 'unsafe-inline' or 'unsafe-eval' directives.
More in Bricks Builder
View allSame weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28369
GHSA-w6wq-7556-p56p