Skip to main content

Breakdance EUVDEUVD-2026-44886

| CVE-2026-7543 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-16 Wordfence GHSA-7xfg-8mc3-f3f7
7.2
CVSS 3.1 · NVD
Share

Severity by source

Vendor (Wordfence) PRIMARY
HIGH
qualitative
NVD
7.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
7.2 HIGH

Unauthenticated network injection (PR:N/AV:N) per description, no interaction to store; scope change (S:C) as script runs in victim browser context with low confidentiality/integrity impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 16, 2026 - 09:01 vuln.today
CVE Published
Jul 16, 2026 - 07:51 cve.org
HIGH 7.2

DescriptionNVD

The Breakdance plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fields' parameter in versions up to, and including, 2.7.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored cross-site scripting in the Breakdance WordPress page-builder plugin (versions through 2.7.1) lets unauthenticated attackers inject persistent JavaScript through the 'fields' parameter, which then runs in the browser of any user who views the affected page. The flaw carries a CVSS 3.1 score of 7.2, elevated by a scope change (S:C) because the payload executes in visitors' browser sessions rather than the server context. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach Breakdance 'fields' parameter
Delivery
Submit crafted script payload
Exploit
Payload stored without sanitization
Execution
Victim loads injected page
Persist
Script executes in victim browser
Impact
Session hijack or admin action

Vulnerability AssessmentAI

Exploitation Exploitation requires the ability to reach the Breakdance 'fields' parameter with attacker-controlled input on a site running version 2.7.1 or earlier; per the CVSS vector (PR:N/UI:N) and the description, injection needs no authentication and no user interaction. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N indicates network-reachable, low-complexity, unauthenticated exploitation requiring no user interaction to inject - a genuinely low bar. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker submits a crafted request setting the 'fields' parameter to a malicious script payload, which Breakdance stores without sanitization. When a site administrator or visitor later loads the injected page, the script executes in their browser - enabling session/cookie theft, admin-action forgery, or redirection. …
Remediation Vendor-released patch: 2.7.2 - upgrade the Breakdance plugin to version 2.7.2 or later, per the vendor security update at https://breakdance.com/breakdance-2-7-2-security-update/. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, perform asset discovery to identify all WordPress installations using Breakdance version 2.7.1 or earlier; immediately quarantine any pages suspected of compromise from public access. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-44886 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy