Skip to main content

Themify Builder EUVDEUVD-2026-43132

| CVE-2026-15097 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-11 Wordfence GHSA-r6f8-v3hv-xx2m
6.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
6.4 MEDIUM

Network-accessible WordPress endpoint, low complexity, contributor auth required (PR:L), scope changes to victim browser; no availability impact from stored XSS.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 11, 2026 - 05:08 vuln.today
CVE Published
Jul 11, 2026 - 03:44 cve.org
MEDIUM 6.4

DescriptionCVE.org

The Themify Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'height_slider' Slider Module Field in all versions up to, and including, 7.7.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored XSS in the Themify Builder WordPress plugin (all versions through 7.7.6) allows contributor-level authenticated users to inject persistent JavaScript via the 'height_slider' Slider Module field, which executes in the browser of any visitor who loads an injected page. The scope change (S:C in CVSS) captures the cross-context impact: attacker payload runs in victims' sessions, enabling session hijacking, credential theft, or unauthorized admin actions. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain or register contributor WordPress account
Delivery
Create or edit page with Themify Builder Slider module
Exploit
Inject JavaScript into height_slider field
Install
Payload persists in database
C2
Victim loads injected page
Execute
Malicious script executes in victim browser
Impact
Session tokens or credentials exfiltrated

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress session with contributor-level privileges or higher (editor, administrator). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.4 score (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) reflects the meaningful but bounded nature of this flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has registered or compromised a contributor-level WordPress account on a site running Themify Builder ≤7.7.6 creates or edits a page containing a Slider module and injects a JavaScript payload (e.g., a cookie-stealing script) into the height_slider field. The payload is stored in the database and silently executes in the browser of every visitor - including administrators - who subsequently loads that page, allowing the attacker to harvest session tokens without any further interaction.
Remediation Update the Themify Builder plugin to a version beyond 7.7.6 immediately. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43132 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy