CVE-2026-28038
Missing Authorization in Ultimate Addons for WPBakery Page Builder
Publication date: 2026-03-05
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| brainstorm_force | ultimate_addons_for_wpbakery_page_builder | From 3.0.0 (inc) to 3.21.1 (inc) |
| brainstorm_force | ultimate_addons_for_wpbakery_page_builder | to 3.21.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-28038 is a medium priority Broken Access Control vulnerability in the WordPress plugin "Ultimate Addons for WPBakery Page Builder" versions up to and including 3.21.1.'}, {'type': 'paragraph', 'content': 'The vulnerability arises from missing authorization, authentication, or nonce token checks in certain functions, which allows unprivileged users (such as subscribers or developers) to perform actions that should be restricted to higher privileged roles.'}, {'type': 'paragraph', 'content': 'This issue is classified under OWASP Top 10 A1: Broken Access Control and has a CVSS severity score of 6.5, indicating a moderate risk with potential for exploitation.'}] [1]
How can this vulnerability impact me? :
This vulnerability can allow unprivileged users to perform actions reserved for higher privileged roles, potentially leading to unauthorized changes or access within a WordPress site using the affected plugin.
Such unauthorized actions could compromise the integrity and security of the website, possibly resulting in data manipulation, privilege escalation, or other malicious activities.
As no official patch was available as of the publication date, users are advised to apply mitigation rules provided by Patchstack to block attacks targeting this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from missing authorization, authentication, or nonce token checks in certain functions of the Ultimate Addons for WPBakery Page Builder plugin, allowing unprivileged users to perform privileged actions.
No specific detection commands or network/system scanning commands are provided in the available resources.
Users are advised to monitor for unusual privilege escalation attempts or unauthorized actions performed by low-privileged users within the WordPress environment.
What immediate steps should I take to mitigate this vulnerability?
As of the publication date, no official patch has been released for this vulnerability.
Patchstack has provided a mitigation rule to block attacks targeting this vulnerability, which users are advised to apply promptly to secure their websites.
Monitoring and restricting user roles to prevent unprivileged users from performing actions reserved for higher privileged roles can also help mitigate risk until an official fix is available.