CVE-2026-45436
Deferred Deferred - Pending Action

Subscriber Broken Access Control in WPBakery Page Builder

Vulnerability report for CVE-2026-45436, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Patchstack

Description

Subscriber Broken Access Control in WPBakery Page Builder <= 8.7.2 versions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-07-08
AI Q&A
2026-06-17
EPSS Evaluated
2026-07-06
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
wpbakery page_builder to 8.7.2 (inc)
wpbakery page_builder to 8.7.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability CVE-2026-45436 is a Broken Access Control issue in the WordPress WPBakery Page Builder Plugin versions 8.7.2 and below.

It allows unprivileged users, such as Subscribers, to perform actions that normally require higher privileges because of missing authorization, authentication, or nonce token checks.

This means that users with limited permissions can exploit this flaw to gain unauthorized capabilities within the plugin.

Mitigation Strategies

The immediate recommended action is to update the WPBakery Page Builder plugin to version 8.7.3 or later.

If updating the plugin is not possible, users should seek assistance from their hosting provider or web developer.

Patchstack offers an automated mitigation rule that can be used to block attacks targeting this vulnerability until the plugin is updated.

Impact Analysis

This vulnerability can lead to unauthorized actions being performed by low-privileged users on your website.

Since the flaw allows Subscribers to escalate their privileges, it could result in unauthorized modifications or control over parts of your site managed by the WPBakery Page Builder plugin.

The vulnerability is actively exploitable and could be used in mass-exploitation campaigns targeting thousands of websites, increasing the risk of widespread compromise.

Immediate action is recommended to update the plugin to version 8.7.3 or later to mitigate this risk.

Compliance Impact

The vulnerability in WPBakery Page Builder Plugin versions 8.7.2 and below allows unprivileged users to perform higher-privileged actions due to broken access control. This could lead to unauthorized actions on affected websites.

Such unauthorized access and actions may result in non-compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data.

Therefore, exploitation of this vulnerability could potentially expose organizations to regulatory risks related to data integrity and access management.

Detection Guidance

The vulnerability in WPBakery Page Builder Plugin versions 8.7.2 and below allows unprivileged users such as Subscribers to perform higher-privileged actions due to broken access control.

Detection on your network or system would involve monitoring for unauthorized privilege escalation attempts or unusual actions performed by Subscriber-level users within the WordPress environment.

Since the vulnerability is related to missing authorization and nonce token checks in the plugin, specific detection commands are not provided in the available resources.

Recommended actions include updating the plugin to version 8.7.3 or later, or applying automated mitigation rules provided by Patchstack to block exploitation attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45436. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart