CVE-2026-34889
DOM-Based XSS in Ultimate Addons for WPBakery Page Builder
Publication date: 2026-04-01
Last updated on: 2026-04-01
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| brainstorm_force | ultimate_addons_for_wpbakery_page_builder | to 3.21.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34889 is a Cross Site Scripting (XSS) vulnerability affecting the WordPress plugin "Ultimate Addons for WPBakery Page Builder" in versions prior to 3.21.4.
This vulnerability allows attackers to inject malicious scriptsβsuch as redirects, advertisements, or other HTML payloadsβthat execute when site visitors access the compromised pages.
Exploitation requires a user with at least Contributor or Developer privileges to perform an action like clicking a malicious link, visiting a crafted page, or submitting a form, meaning user interaction is necessary.
How can this vulnerability impact me? :
This vulnerability can lead to the execution of malicious scripts on your website, which may cause unwanted redirects, display of unauthorized advertisements, or other harmful HTML payloads.
Because exploitation requires user interaction and certain user privileges, the risk is moderate but can be leveraged in mass-exploit campaigns targeting many websites.
If exploited, it can compromise the integrity and trustworthiness of your website, potentially affecting your users and your site's reputation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability is a DOM-Based Cross Site Scripting (XSS) affecting the Ultimate Addons for WPBakery Page Builder plugin versions prior to 3.21.4. Detection involves identifying if the vulnerable plugin version is installed and if malicious scripts are being injected or executed on web pages.
Since exploitation requires user interaction and specific plugin versions, detection can include checking the plugin version installed on your WordPress site.
Suggested commands to detect the vulnerable plugin version on your WordPress installation include:
- Using WP-CLI to check plugin version: wp plugin list | grep ultimate-addons-for-wpbakery-page-builder
- Manually inspecting the plugin version in the WordPress admin dashboard under Plugins.
For network detection, monitoring HTTP responses for injected scripts or unusual payloads on pages generated by the plugin might help, but no specific commands are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The primary and immediate mitigation step is to update the Ultimate Addons for WPBakery Page Builder plugin to version 3.21.4 or later, where the vulnerability has been patched.
Users are advised to apply this update as soon as possible to prevent exploitation.
Additionally, using automated update tools such as Patchstack's automated updates can provide rapid protection against this and similar vulnerabilities.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a Cross Site Scripting (XSS) issue that allows attackers to inject malicious scripts which execute when site visitors access compromised pages. Such vulnerabilities can potentially lead to unauthorized access or manipulation of user data.
While the provided information does not explicitly mention compliance impacts with standards like GDPR or HIPAA, XSS vulnerabilities generally pose risks to data confidentiality and integrity, which are critical aspects of these regulations.
Therefore, if exploited, this vulnerability could contribute to non-compliance with regulations that require protection of personal data and secure web applications, such as GDPR and HIPAA.