Skip to main content

Bricks Builder EUVDEUVD-2026-37592

| CVE-2026-40723 MEDIUM
Missing Authorization (CWE-862)
2026-06-17 Patchstack
4.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
4.3 MEDIUM

Subscriber authentication required (PR:L); network reachable with no complexity; impact limited to unauthorized write actions with no confidentiality or availability effect.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 12:53 vuln.today

DescriptionCVE.org

Subscriber Broken Access Control in Bricks Builder <= 2.1.4 versions.

AnalysisAI

Broken Access Control in Bricks Builder for WordPress (versions up to and including 2.1.4) allows subscriber-level authenticated users to perform actions that should be restricted to higher-privilege roles such as editor or administrator. Rooted in CWE-862 (Missing Authorization), the flaw means certain builder endpoints or AJAX actions execute without verifying whether the requesting user holds sufficient capabilities. No public exploit code identified at time of analysis, and this CVE is not listed in CISA KEV; however, the low authentication barrier (any registered subscriber) on sites with open registration increases realistic exposure.

Technical ContextAI

Bricks Builder is a visual WordPress theme and page-builder product identified by CPE cpe:2.3:a:bricks:bricks_builder:*:*:*:*:*:*:*:*. WordPress enforces a role-capability model where subscribers hold the minimum set of permissions (essentially read-only). CWE-862 (Missing Authorization) describes the root cause: the application performs a privileged operation - such as modifying builder templates, page structure, or builder-specific settings - without first calling an appropriate WordPress capability check (e.g., current_user_can()). Because the authorization gate is absent rather than misconfigured, a subscriber can reach restricted REST API routes or AJAX handlers and alter site content in ways reserved for higher roles.

RemediationAI

Update Bricks Builder to a version beyond 2.1.4 as the primary remediation; consult the Patchstack advisory at https://patchstack.com/database/wordpress/theme/bricks/vulnerability/wordpress-bricks-builder-theme-2-1-4-broken-access-control-vulnerability?_s_id=cve and the vendor changelog for the confirmed patched release version, which is not independently specified in the available data. If immediate patching is not possible, disable public user registration (Settings > General > uncheck 'Anyone can register') to eliminate the subscriber account attack surface entirely - note this prevents new users from self-registering for any purpose. As an additional compensating control, audit and remove any unnecessary subscriber-level accounts. The trade-off of disabling registration is loss of self-service onboarding workflows if the site relies on them.

Share

EUVD-2026-37592 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy