Skip to main content

Envision Page Builder CVE-2026-57780

| EUVDEUVD-2026-43398 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-13 Patchstack
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
5.4 MEDIUM

XSS does not directly cause availability impact; all other metrics match authenticated network-accessible DOM-XSS with scope change and required victim interaction.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 13, 2026 - 11:19 vuln.today

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Plugin Envision Envision Page Builder envision-page-builder allows DOM-Based XSS.This issue affects Envision Page Builder: from n/a through <= 0.22.

AnalysisAI

DOM-Based Cross-Site Scripting in the Envision Page Builder WordPress plugin (versions through 0.22) allows low-privileged authenticated attackers to inject and execute malicious JavaScript in victim browsers via unsanitized page builder input. The scope change (S:C) in the CVSS vector confirms the payload escapes the plugin's own context and can affect the broader WordPress environment, including the admin panel. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged WordPress account
Delivery
Create page with malicious DOM-XSS payload via Envision Page Builder
Exploit
Publish or share page link
Execution
Victim administrator previews page
Persist
Browser executes injected JavaScript
Impact
Exfiltrate admin session cookie or perform unauthorized actions

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a valid WordPress account with at minimum low-privilege access (PR:L per CVSS vector), such as a contributor, author, or subscriber role capable of creating or editing content via the Envision Page Builder plugin. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS base score of 6.5 reflects a medium-severity, network-accessible vulnerability with low-privilege requirements and required user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a low-privileged WordPress account (e.g., contributor role) crafts a page or post using the Envision Page Builder that embeds a malicious DOM-manipulating payload in a builder field that is later rendered without sanitization. When a site administrator or editor previews or visits the affected page, the injected JavaScript executes in their browser, potentially exfiltrating their authentication cookie or performing unauthorized administrative actions such as creating a backdoor account. …
Remediation Update the Envision Page Builder plugin to a version beyond 0.22 as soon as a patched release is made available by Plugin Envision via the WordPress plugin repository. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57780 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy