Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Contributor authentication (PR:L) required; Scope:Changed reflects XSS execution in victim browser; no availability impact; confidentiality and integrity impacts are limited to session-level data and page content.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Themify Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Map Module 'b_width_map' Field in all versions up to, and including, 7.7.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Stored Cross-Site Scripting in the Themify Builder WordPress plugin (all versions through 7.7.6) enables authenticated attackers holding contributor-level access or higher to persist arbitrary JavaScript via the Map Module's b_width_map field. Because the scope changes (S:C in CVSS), the injected payload executes inside every subsequent visitor's browser context - enabling session hijacking, credential theft, or administrative account takeover against any user who views an affected page. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress user account with at minimum contributor-level access (PR:L confirmed by CVSS vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 6.4 (Medium) is derived from AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or compromises a contributor-level WordPress account on a site running Themify Builder 7.7.6 or earlier, then uses the builder interface to create or edit a page containing a Map Module, injecting a JavaScript payload such as a cookie-stealing script into the `b_width_map` field. Once the page is published, every subsequent visitor - including administrators - who loads the page will have the script execute in their browser, potentially exfiltrating their session cookie to an attacker-controlled endpoint and enabling full account takeover of high-privileged users. |
| Remediation | The primary remediation is to update the Themify Builder plugin to the version incorporating SVN changeset 3601964 or any later release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Themify Builder
View allReflected cross-site scripting in the Themify Builder WordPress plugin (versions up to and including 7.7.4) lets remote
Stored XSS in the Themify Builder WordPress plugin (all versions through 7.7.6) allows contributor-level authenticated u
Authorization bypass in the Themify Builder WordPress plugin (all versions through 7.7.7) permits any authenticated subs
The Themify Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43139
GHSA-hr4g-6fjj-w743