Skip to main content

WPBakery Page Builder CVE-2026-45436

| EUVDEUVD-2026-37610 MEDIUM
Missing Authorization (CWE-862)
2026-06-17 Patchstack
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
6.5 MEDIUM

Subscriber-level account required (PR:L); network-exploitable with no complexity (AV:N/AC:L); high integrity impact from unauthorized writes; no confidentiality or availability effect.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 12:52 vuln.today

DescriptionCVE.org

Subscriber Broken Access Control in WPBakery Page Builder <= 8.7.2 versions.

AnalysisAI

Broken access control in WPBakery Page Builder (versions ≤ 8.7.2) allows subscriber-level authenticated WordPress users to invoke privileged functionality without proper authorization checks. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N) confirms this is network-exploitable with low complexity and high integrity impact, meaning authenticated low-privilege users can perform content or administrative actions restricted to higher roles such as editor or administrator. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register or obtain WordPress subscriber account
Delivery
Authenticate to target WordPress site
Exploit
Identify unprotected WPBakery plugin endpoint
Execution
Send crafted authenticated request bypassing capability check
Impact
Execute privileged content or configuration modification

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid WordPress account at subscriber level or higher on the target site - no special plugin configuration or non-default settings are described as necessary beyond having WPBakery Page Builder installed and active. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS base score of 6.5 (Medium) is derived from a vector that combines network accessibility, low attack complexity, and high integrity impact - a combination that warrants real prioritization. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free subscriber account on a target WordPress site running WPBakery Page Builder ≤ 8.7.2, then sends a crafted authenticated HTTP request directly to an unprotected plugin endpoint (such as an admin-ajax.php action or REST route) that the plugin neglects to gate with a capability check. The missing authorization allows the subscriber to execute page content modifications, template changes, or other actions normally reserved for editors or administrators. …
Remediation Update WPBakery Page Builder to a version above 8.7.2 per the vendor release. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-45436 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy