Skip to main content

Bricksable for Bricks Builder EUVDEUVD-2026-37873

| CVE-2026-56009 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-18 Patchstack GHSA-m7fg-j95w-crhw
5.9
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
5.9 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
5.9 MEDIUM

PR:H confirmed by admin/editor requirement; S:C reflects browser context crossing; limited C/I/A due to constrained script scope.

3.1 AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 18, 2026 - 12:31 vuln.today

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bricksable for Bricks Builder allows Stored XSS.

This issue affects Bricksable for Bricks Builder: from n/a through 1.6.83.

AnalysisAI

Stored Cross-Site Scripting in the Bricksable for Bricks Builder WordPress plugin (versions through 1.6.83) allows a high-privileged attacker to inject persistent malicious scripts into page builder elements, which then execute in victims' browsers when affected pages are loaded. The CVSS scope change (S:C) confirms the injected payload crosses into the victim's browser security context, enabling session hijacking, credential theft, or unauthorized actions on behalf of the viewing user. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as WordPress admin or editor
Delivery
Inject JavaScript payload into Bricksable element field
Exploit
Payload stored in WordPress database
Execution
Victim admin loads affected page
Persist
Stored script executes in victim's browser
Impact
Session cookie or credentials exfiltrated

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a high-privilege WordPress role (Administrator or Editor) as confirmed by the PR:H metric in the CVSS vector - unauthenticated or low-privileged users cannot trigger this vulnerability. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS base score of 5.9 (Medium) reflects a constrained but meaningful risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with WordPress Administrator or Editor credentials navigates to a page or post using a Bricksable element and injects a JavaScript payload (e.g., a cookie-stealing script) into an unsanitized input field within the Bricks Builder editor. The payload is saved to the WordPress database and silently executes in the browser of any user - including other administrators - who subsequently views the affected page, potentially exfiltrating session tokens or performing privileged actions. …
Remediation The primary remediation is to update the Bricksable for Bricks Builder plugin to a version beyond 1.6.83. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-37873 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy