Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Subscriber authentication required (PR:L); network reachable with no complexity; impact limited to unauthorized write actions with no confidentiality or availability effect.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Subscriber Broken Access Control in Bricks Builder <= 2.1.4 versions.
AnalysisAI
Broken Access Control in Bricks Builder for WordPress (versions up to and including 2.1.4) allows subscriber-level authenticated users to perform actions that should be restricted to higher-privilege roles such as editor or administrator. Rooted in CWE-862 (Missing Authorization), the flaw means certain builder endpoints or AJAX actions execute without verifying whether the requesting user holds sufficient capabilities. No public exploit code identified at time of analysis, and this CVE is not listed in CISA KEV; however, the low authentication barrier (any registered subscriber) on sites with open registration increases realistic exposure.
Technical ContextAI
Bricks Builder is a visual WordPress theme and page-builder product identified by CPE cpe:2.3:a:bricks:bricks_builder:*:*:*:*:*:*:*:*. WordPress enforces a role-capability model where subscribers hold the minimum set of permissions (essentially read-only). CWE-862 (Missing Authorization) describes the root cause: the application performs a privileged operation - such as modifying builder templates, page structure, or builder-specific settings - without first calling an appropriate WordPress capability check (e.g., current_user_can()). Because the authorization gate is absent rather than misconfigured, a subscriber can reach restricted REST API routes or AJAX handlers and alter site content in ways reserved for higher roles.
RemediationAI
Update Bricks Builder to a version beyond 2.1.4 as the primary remediation; consult the Patchstack advisory at https://patchstack.com/database/wordpress/theme/bricks/vulnerability/wordpress-bricks-builder-theme-2-1-4-broken-access-control-vulnerability?_s_id=cve and the vendor changelog for the confirmed patched release version, which is not independently specified in the available data. If immediate patching is not possible, disable public user registration (Settings > General > uncheck 'Anyone can register') to eliminate the subscriber account attack surface entirely - note this prevents new users from self-registering for any purpose. As an additional compensating control, audit and remove any unnecessary subscriber-level accounts. The trade-off of disabling registration is loss of self-service onboarding workflows if the site relies on them.
More in Bricks Builder
View allSame weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37592