CVE-2026-22390
Awaiting Analysis Awaiting Analysis - Queue
Code Injection Vulnerability in Builderall WordPress Plugin

Publication date: 2026-03-05

Last updated on: 2026-03-10

Assigner: Patchstack

Description
Improper Control of Generation of Code ('Code Injection') vulnerability in Builderall Builderall Builder for WordPress builderall-cheetah-for-wp allows Code Injection.This issue affects Builderall Builder for WordPress: from n/a through <= 3.0.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-03-10
Generated
2026-06-16
AI Q&A
2026-03-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22390
EUVD
EUVD-2026-9531
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
builderall builderall_builder_for_wordpress to 3.0.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-22390 is a Remote Code Execution (RCE) vulnerability in the WordPress plugin "Builderall Builder for WordPress" versions up to and including 3.0.1.'}, {'type': 'paragraph', 'content': 'This vulnerability is caused by improper control of code generation, classified as a code injection issue under OWASP Top 10 A3: Injection.'}, {'type': 'paragraph', 'content': 'It allows a malicious actor with at least Contributor or Developer privileges to execute arbitrary commands on the target website.'}] [1]

Impact Analysis

Exploitation of this vulnerability can lead to backdoor access and full control over the compromised WordPress site.

An attacker could execute arbitrary commands, potentially leading to data theft, site defacement, or further attacks on the hosting environment.

Because the vulnerability has a high CVSS severity score of 9.9, it is highly dangerous and likely to be exploited.

Compliance Impact

I don't know

Detection Guidance

CVE-2026-22390 is a Remote Code Execution vulnerability in the Builderall Builder for WordPress plugin versions up to 3.0.1, exploitable by users with Contributor or Developer privileges. Detection typically involves monitoring for unusual or unauthorized command execution attempts or suspicious activity related to this plugin.

Since no official patch is available and the vulnerability allows arbitrary command execution, detection can include checking for unexpected changes or backdoor files on the WordPress site, reviewing logs for suspicious requests targeting the plugin, and monitoring user activity for privilege abuse.

Specific commands are not provided in the available resources. However, general detection commands might include:

  • Review web server access logs for suspicious POST requests to plugin endpoints.
  • Use WordPress security plugins or tools to scan for modified or unknown files.
  • Check for unexpected processes or command executions on the server related to the web server user.
Mitigation Strategies

Immediate mitigation steps include applying the Patchstack mitigation rule designed to block attacks targeting this vulnerability until an official patch is released.

Additionally, restrict user privileges by ensuring that only trusted users have Contributor or Developer roles, as exploitation requires these privileges.

Monitoring and hardening the WordPress environment, disabling or removing the vulnerable plugin if possible, and keeping backups are also recommended.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22390. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart