CVE-2026-45436
Deferred Deferred - Pending Action
Subscriber Broken Access Control in WPBakery Page Builder

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Patchstack

Description
Subscriber Broken Access Control in WPBakery Page Builder <= 8.7.2 versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-45436
EUVD
EUVD-2026-37610
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wpbakery page_builder to 8.7.2 (inc)
wpbakery page_builder to 8.7.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The immediate recommended action is to update the WPBakery Page Builder plugin to version 8.7.3 or later.

If updating the plugin is not possible, users should seek assistance from their hosting provider or web developer.

Patchstack offers an automated mitigation rule that can be used to block attacks targeting this vulnerability until the plugin is updated.

Detection Guidance

The vulnerability in WPBakery Page Builder Plugin versions 8.7.2 and below allows unprivileged users such as Subscribers to perform higher-privileged actions due to broken access control.

Detection on your network or system would involve monitoring for unauthorized privilege escalation attempts or unusual actions performed by Subscriber-level users within the WordPress environment.

Since the vulnerability is related to missing authorization and nonce token checks in the plugin, specific detection commands are not provided in the available resources.

Recommended actions include updating the plugin to version 8.7.3 or later, or applying automated mitigation rules provided by Patchstack to block exploitation attempts.

Compliance Impact

The vulnerability in WPBakery Page Builder Plugin versions 8.7.2 and below allows unprivileged users to perform higher-privileged actions due to broken access control. This could lead to unauthorized actions on affected websites.

Such unauthorized access and actions may result in non-compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data.

Therefore, exploitation of this vulnerability could potentially expose organizations to regulatory risks related to data integrity and access management.

Executive Summary

The vulnerability CVE-2026-45436 is a Broken Access Control issue in the WordPress WPBakery Page Builder Plugin versions 8.7.2 and below.

It allows unprivileged users, such as Subscribers, to perform actions that normally require higher privileges because of missing authorization, authentication, or nonce token checks.

This means that users with limited permissions can exploit this flaw to gain unauthorized capabilities within the plugin.

Impact Analysis

This vulnerability can lead to unauthorized actions being performed by low-privileged users on your website.

Since the flaw allows Subscribers to escalate their privileges, it could result in unauthorized modifications or control over parts of your site managed by the WPBakery Page Builder plugin.

The vulnerability is actively exploitable and could be used in mass-exploitation campaigns targeting thousands of websites, increasing the risk of widespread compromise.

Immediate action is recommended to update the plugin to version 8.7.3 or later to mitigate this risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45436. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart