Severity by source
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
PR:H confirmed by admin/editor requirement; S:C reflects browser context crossing; limited C/I/A due to constrained script scope.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bricksable for Bricks Builder allows Stored XSS.
This issue affects Bricksable for Bricks Builder: from n/a through 1.6.83.
AnalysisAI
Stored Cross-Site Scripting in the Bricksable for Bricks Builder WordPress plugin (versions through 1.6.83) allows a high-privileged attacker to inject persistent malicious scripts into page builder elements, which then execute in victims' browsers when affected pages are loaded. The CVSS scope change (S:C) confirms the injected payload crosses into the victim's browser security context, enabling session hijacking, credential theft, or unauthorized actions on behalf of the viewing user. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold a high-privilege WordPress role (Administrator or Editor) as confirmed by the PR:H metric in the CVSS vector - unauthenticated or low-privileged users cannot trigger this vulnerability. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS base score of 5.9 (Medium) reflects a constrained but meaningful risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with WordPress Administrator or Editor credentials navigates to a page or post using a Bricksable element and injects a JavaScript payload (e.g., a cookie-stealing script) into an unsanitized input field within the Bricks Builder editor. The payload is saved to the WordPress database and silently executes in the browser of any user - including other administrators - who subsequently views the affected page, potentially exfiltrating session tokens or performing privileged actions. … |
| Remediation | The primary remediation is to update the Bricksable for Bricks Builder plugin to a version beyond 1.6.83. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37873
GHSA-m7fg-j95w-crhw