Skip to main content

Bricks Builder EUVDEUVD-2026-28369

| CVE-2026-41554 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-05-07 Patchstack GHSA-w6wq-7556-p56p
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
May 07, 2026 - 14:31 vuln.today
CVE Published
May 07, 2026 - 13:28 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bricks Builder allows Reflected XSS.

This issue affects Bricks Builder: from n/a through 1.9.2 to 2.2.

AnalysisAI

Reflected cross-site scripting in Bricks Builder WordPress theme through version 1.9.2 to 2.2 enables remote attackers to execute malicious JavaScript in victim browsers by crafting URLs with unsanitized input that gets reflected into generated web pages without proper encoding. Exploitation requires victim interaction (clicking a malicious link) but no authentication, making phishing and social engineering viable delivery methods. EPSS and KEV data not available; no public exploit confirmed at time of analysis, though Patchstack disclosure suggests security researchers have demonstrated the vulnerability.

Technical ContextAI

Bricks Builder is a visual site builder theme for WordPress (CPE: cpe:2.3:a:bricks:bricks_builder). This vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), where user-supplied input from URL parameters or form fields is incorporated into dynamically generated HTML responses without proper sanitization or output encoding. Reflected XSS differs from stored XSS in that the malicious payload is not persisted server-side but instead bounced back from the server in the immediate response. The affected version range spans from unspecified early versions through 1.9.2 up to version 2.2, suggesting a longstanding input handling deficiency in the theme's rendering logic. WordPress themes with visual builders often process complex query parameters to render preview states or dynamic content, creating multiple potential injection points if input validation is insufficient.

RemediationAI

Upgrade Bricks Builder to the latest version available from the vendor that addresses CVE-2026-41554. Consult the Patchstack advisory at https://patchstack.com/database/wordpress/theme/bricks/vulnerability/wordpress-bricks-builder-theme-1-9-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve for patch confirmation and specific fixed version number, as the CVE data does not specify the exact patched release. Until patching is complete, implement compensating controls including Content Security Policy (CSP) headers with strict script-src directives to prevent inline JavaScript execution (note: may break legitimate theme functionality requiring inline scripts), Web Application Firewall (WAF) rules to detect and block XSS patterns in URL parameters and form submissions (trade-off: potential false positives requiring tuning), and user awareness training to recognize phishing attempts delivering malicious links. Restrict WordPress admin access to trusted networks via IP allowlisting or VPN if operationally feasible, reducing exposure surface for social engineering. Verify CSP implementation does not disable security protections through overly permissive 'unsafe-inline' or 'unsafe-eval' directives.

Share

EUVD-2026-28369 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy