CVE-2026-28038
Received Received - Intake
Missing Authorization in Ultimate Addons for WPBakery Page Builder

Publication date: 2026-03-05

Last updated on: 2026-04-23

Assigner: Patchstack

Description
Missing Authorization vulnerability in Brainstorm_Force Ultimate Addons for WPBakery Page Builder ultimate_vc_addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Addons for WPBakery Page Builder: from n/a through <= 3.21.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-03-05
EPSS Evaluated
2026-06-14
NVD
CVE-2026-28038
EUVD
EUVD-2026-9700
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
brainstorm_force ultimate_addons_for_wpbakery_page_builder From 3.0.0 (inc) to 3.21.1 (inc)
brainstorm_force ultimate_addons_for_wpbakery_page_builder to 3.21.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-28038 is a medium priority Broken Access Control vulnerability in the WordPress plugin "Ultimate Addons for WPBakery Page Builder" versions up to and including 3.21.1.'}, {'type': 'paragraph', 'content': 'The vulnerability arises from missing authorization, authentication, or nonce token checks in certain functions, which allows unprivileged users (such as subscribers or developers) to perform actions that should be restricted to higher privileged roles.'}, {'type': 'paragraph', 'content': 'This issue is classified under OWASP Top 10 A1: Broken Access Control and has a CVSS severity score of 6.5, indicating a moderate risk with potential for exploitation.'}] [1]

Impact Analysis

This vulnerability can allow unprivileged users to perform actions reserved for higher privileged roles, potentially leading to unauthorized changes or access within a WordPress site using the affected plugin.

Such unauthorized actions could compromise the integrity and security of the website, possibly resulting in data manipulation, privilege escalation, or other malicious activities.

As no official patch was available as of the publication date, users are advised to apply mitigation rules provided by Patchstack to block attacks targeting this vulnerability.

Compliance Impact

I don't know

Detection Guidance

This vulnerability arises from missing authorization, authentication, or nonce token checks in certain functions of the Ultimate Addons for WPBakery Page Builder plugin, allowing unprivileged users to perform privileged actions.

No specific detection commands or network/system scanning commands are provided in the available resources.

Users are advised to monitor for unusual privilege escalation attempts or unauthorized actions performed by low-privileged users within the WordPress environment.

Mitigation Strategies

As of the publication date, no official patch has been released for this vulnerability.

Patchstack has provided a mitigation rule to block attacks targeting this vulnerability, which users are advised to apply promptly to secure their websites.

Monitoring and restricting user roles to prevent unprivileged users from performing actions reserved for higher privileged roles can also help mitigate risk until an official fix is available.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28038. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart