Executive Summary

CVE-2026-34889 is a Cross Site Scripting (XSS) vulnerability affecting the WordPress plugin "Ultimate Addons for WPBakery Page Builder" in versions prior to 3.21.4.

This vulnerability allows attackers to inject malicious scripts—such as redirects, advertisements, or other HTML payloads—that execute when site visitors access the compromised pages.

Exploitation requires a user with at least Contributor or Developer privileges to perform an action like clicking a malicious link, visiting a crafted page, or submitting a form, meaning user interaction is necessary.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to the execution of malicious scripts on your website, which may cause unwanted redirects, display of unauthorized advertisements, or other harmful HTML payloads.

Because exploitation requires user interaction and certain user privileges, the risk is moderate but can be leveraged in mass-exploit campaigns targeting many websites.

If exploited, it can compromise the integrity and trustworthiness of your website, potentially affecting your users and your site's reputation.

Useful 0 Not Useful 0

Detection Guidance

The vulnerability is a DOM-Based Cross Site Scripting (XSS) affecting the Ultimate Addons for WPBakery Page Builder plugin versions prior to 3.21.4. Detection involves identifying if the vulnerable plugin version is installed and if malicious scripts are being injected or executed on web pages.

Since exploitation requires user interaction and specific plugin versions, detection can include checking the plugin version installed on your WordPress site.

Suggested commands to detect the vulnerable plugin version on your WordPress installation include:

• Using WP-CLI to check plugin version: wp plugin list | grep ultimate-addons-for-wpbakery-page-builder
• Manually inspecting the plugin version in the WordPress admin dashboard under Plugins.

For network detection, monitoring HTTP responses for injected scripts or unusual payloads on pages generated by the plugin might help, but no specific commands are provided in the available resources.

Useful 0 Not Useful 0

Mitigation Strategies

The primary and immediate mitigation step is to update the Ultimate Addons for WPBakery Page Builder plugin to version 3.21.4 or later, where the vulnerability has been patched.

Users are advised to apply this update as soon as possible to prevent exploitation.

Additionally, using automated update tools such as Patchstack's automated updates can provide rapid protection against this and similar vulnerabilities.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability is a Cross Site Scripting (XSS) issue that allows attackers to inject malicious scripts which execute when site visitors access compromised pages. Such vulnerabilities can potentially lead to unauthorized access or manipulation of user data.

While the provided information does not explicitly mention compliance impacts with standards like GDPR or HIPAA, XSS vulnerabilities generally pose risks to data confidentiality and integrity, which are critical aspects of these regulations.

Therefore, if exploited, this vulnerability could contribute to non-compliance with regulations that require protection of personal data and secure web applications, such as GDPR and HIPAA.

Useful 0 Not Useful 0