Skip to main content

Bricksforge EUVDEUVD-2026-37671

| CVE-2026-34888 HIGH
Insertion of Sensitive Information Into Sent Data (CWE-201)
2026-06-17 Patchstack
7.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network-reachable disclosure in a WordPress plugin yields AV:N/AC:L/PR:N/UI:N; pure information leak gives C:H, I:N, A:N with unchanged scope.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 12:25 vuln.today

DescriptionCVE.org

Unauthenticated Sensitive Data Exposure in Bricksforge <= 3.1.8.4 versions.

AnalysisAI

Unauthenticated sensitive data exposure in the Bricksforge WordPress plugin versions 3.1.8.4 and earlier allows remote attackers to retrieve confidential information without any credentials. The flaw, tracked under CWE-201 (Insertion of Sensitive Information Into Sent Data), carries a CVSS 3.1 score of 7.5 driven entirely by confidentiality impact, and no public exploit has been identified at time of analysis.

Technical ContextAI

Bricksforge is a third-party add-on plugin for the Bricks Builder page-building ecosystem on WordPress, extending it with form handling, dynamic data, and admin-side workflow features. The CPE 'cpe:2.3:a:bricksforge:bricksforge' identifies the vendor's commercial plugin, and the underlying weakness CWE-201 (Insertion of Sensitive Information Into Sent Data) means the plugin embeds confidential values into responses or assets that are reachable without authentication - typically AJAX endpoints, REST routes, or rendered front-end output that should have been gated behind capability checks. Patchstack, who reported the issue, specializes in WordPress plugin vulnerabilities and coordinates fixes with plugin authors.

RemediationAI

Upstream fix availability is implied by the '<= 3.1.8.4' phrasing in the Patchstack advisory but a released patched version is not independently confirmed in the provided data; site operators should consult the Patchstack record at https://patchstack.com/database/wordpress/plugin/bricksforge/vulnerability/wordpress-bricksforge-plugin-3-1-8-4-sensitive-data-exposure-vulnerability and upgrade to the next Bricksforge release above 3.1.8.4 as soon as the vendor publishes it. Until a fixed version is installed, compensating controls include deactivating the Bricksforge plugin entirely (which will break any forms, dynamic content, or admin workflows it provides), restricting access to the affected WordPress endpoints with a WAF rule scoped to Bricksforge AJAX or REST routes (which may break legitimate front-end behavior if the plugin uses those routes for anonymous visitors), and enabling Patchstack's virtual patching service if already subscribed. Reviewing access logs for unusual hits to plugin-specific endpoints is recommended to detect prior probing.

Share

EUVD-2026-37671 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy