Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Network-reachable reflected XSS needs a victim click (UI:R) and no attacker auth (PR:N); script runs cross-context (S:C) with limited C/I/A impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themifyme Themify Builder themify-builder allows Reflected XSS.This issue affects Themify Builder: from n/a through <= 7.7.4.
AnalysisAI
Reflected cross-site scripting in the Themify Builder WordPress plugin (versions up to and including 7.7.4) lets remote attackers inject arbitrary script that executes in a victim's browser when they follow a crafted link. The CVSS 3.1 base score of 7.1 reflects unauthenticated exploitation with a scope change, though it requires user interaction. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to actively click or load an attacker-crafted URL (CVSS UI:R), so it cannot be triggered zero-click or purely server-side - this social-engineering step is the primary limiting factor. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) indicates network-reachable, low-complexity exploitation with no privileges required, but critically requires user interaction (UI:R) - a victim must click or load a crafted link. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a URL to the target WordPress site embedding a malicious script payload in a Themify Builder parameter, then distributes it via phishing email, forum post, or social media. When a logged-in administrator or visitor clicks the link, the unsanitized input is reflected into the page and the script executes in their browser, allowing session cookie theft, action forgery, or redirection. … |
| Remediation | No vendor-released patch version was identified in the available data; the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/themify-builder/vulnerability/wordpress-themify-builder-plugin-7-7-4-cross-site-scripting-xss-vulnerability) lists the flaw as affecting through 7.7.4, so administrators should monitor for and apply a release later than 7.7.4 once published and confirm via the Themify changelog. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, inventory all WordPress installations to identify current Themify Builder versions and affected systems. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Themify Builder
View allStored XSS in the Themify Builder WordPress plugin (all versions through 7.7.6) allows contributor-level authenticated u
Stored Cross-Site Scripting in the Themify Builder WordPress plugin (all versions through 7.7.6) enables authenticated a
Authorization bypass in the Themify Builder WordPress plugin (all versions through 7.7.7) permits any authenticated subs
The Themify Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43443