Skip to main content

Themify Builder CVE-2026-57369

| EUVDEUVD-2026-43443 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-13 Patchstack
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Network-reachable reflected XSS needs a victim click (UI:R) and no attacker auth (PR:N); script runs cross-context (S:C) with limited C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 11:07 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themifyme Themify Builder themify-builder allows Reflected XSS.This issue affects Themify Builder: from n/a through <= 7.7.4.

AnalysisAI

Reflected cross-site scripting in the Themify Builder WordPress plugin (versions up to and including 7.7.4) lets remote attackers inject arbitrary script that executes in a victim's browser when they follow a crafted link. The CVSS 3.1 base score of 7.1 reflects unauthenticated exploitation with a scope change, though it requires user interaction. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft URL with XSS payload in plugin parameter
Delivery
Deliver link to victim via phishing
Exploit
Victim loads reflected response
Execution
Script executes in victim browser
Impact
Steal session or forge actions

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to actively click or load an attacker-crafted URL (CVSS UI:R), so it cannot be triggered zero-click or purely server-side - this social-engineering step is the primary limiting factor. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) indicates network-reachable, low-complexity exploitation with no privileges required, but critically requires user interaction (UI:R) - a victim must click or load a crafted link. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL to the target WordPress site embedding a malicious script payload in a Themify Builder parameter, then distributes it via phishing email, forum post, or social media. When a logged-in administrator or visitor clicks the link, the unsanitized input is reflected into the page and the script executes in their browser, allowing session cookie theft, action forgery, or redirection. …
Remediation No vendor-released patch version was identified in the available data; the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/themify-builder/vulnerability/wordpress-themify-builder-plugin-7-7-4-cross-site-scripting-xss-vulnerability) lists the flaw as affecting through 7.7.4, so administrators should monitor for and apply a release later than 7.7.4 once published and confirm via the Themify changelog. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all WordPress installations to identify current Themify Builder versions and affected systems. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57369 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy