CVE-2026-15407
Received Received - Intake

Authorization Bypass in Themify Builder Plugin

Vulnerability report for CVE-2026-15407, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: Wordfence

Description

The Themify Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 7.7.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to overwrite or delete the generated CSS stylesheet file of arbitrary posts, including private and draft posts owned by other users, and modify plugin-scoped font options. The required CSRF nonce (tf_nonce) is emitted on public front-end builder pages via wp_localize_script, making it trivially obtainable by any authenticated user visiting such a page.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
themify builder to 7.7.7 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Themify Builder plugin for WordPress has an authorization bypass vulnerability in versions up to 7.7.7. It allows authenticated attackers with subscriber-level access or higher to overwrite or delete CSS stylesheets of any posts, including private or draft posts owned by others. Attackers can also modify plugin font options. The vulnerability exists because the plugin fails to properly verify user authorization for actions.

Impact Analysis

If you use the Themify Builder plugin, an attacker could modify or delete your website's CSS stylesheets, affecting its appearance or functionality. They could also change font settings. Since the vulnerability allows access to private or draft posts, sensitive content might be exposed or altered. The attack requires only subscriber-level access, which is a low barrier.

Compliance Impact

This vulnerability could lead to unauthorized access or modification of sensitive data, such as private posts or drafts, potentially violating GDPR or HIPAA requirements for data integrity and confidentiality. Unauthorized changes to CSS or font settings might also affect compliance with accessibility standards.

Mitigation Strategies

Update the Themify Builder plugin to the latest version immediately to patch the authorization bypass vulnerability. If an update is not available, consider disabling the plugin temporarily until a fix is released.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15407. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart