Description
Missing Authorization vulnerability in Brainstorm Force Ultimate Addons for WPBakery Page Builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Addons for WPBakery Page Builder: from n/a through 3.21.1.
Published: 2026-03-05
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access and potential privilege escalation
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a broken access control flaw that allows an attacker to bypass incorrectly configured security levels. It could enable users without proper authorization to perform actions reserved for privileged users, potentially exposing or modifying sensitive data or configuration settings. The weakness is classified as CWE‑862, indicating improper authorization enforcement.

Affected Systems

The affected product is the WordPress Ultimate Addons for WPBakery Page Builder plugin from Brainstorm Force. Versions up to and including 3.21.1 are impacted. Versions 3.21.2 and later are not vulnerable.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. EPSS is less than 1%, suggesting a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog, implying no known exploitation in the wild. The likely attack vector is web-based due to the plugin operating within a WordPress installation; however, the exact delivery method is not specified in the description.

Generated by OpenCVE AI on April 15, 2026 at 17:53 UTC.

Remediation

Vendor Solution

Update the WordPress Ultimate Addons for WPBakery Page Builder plugin to the latest available version (at least 3.21.2).

OpenCVE Recommended Actions

  • Upgrade the WordPress Ultimate Addons for WPBakery Page Builder plugin to version 3.21.2 or later
  • Ensure that the plugin’s administrative capabilities are restricted to users with Administrator roles and disable any generic or low‑privilege roles that can access the plugin configuration
  • If the patch cannot be applied immediately, temporarily deactivate the plugin or replace it with a less privileged alternative until the issue is resolved

Generated by OpenCVE AI on April 15, 2026 at 17:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 10:30:00 +0000

Type Values Removed Values Added
References

Thu, 09 Apr 2026 09:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Brainstorm_Force Ultimate Addons for WPBakery Page Builder ultimate_vc_addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Addons for WPBakery Page Builder: from n/a through < 3.21.1. Missing Authorization vulnerability in Brainstorm Force Ultimate Addons for WPBakery Page Builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Addons for WPBakery Page Builder: from n/a through 3.21.1.
Title WordPress Ultimate Addons for WPBakery Page Builder plugin < 3.21.1 - Broken Access Control vulnerability WordPress Ultimate Addons for WPBakery Page Builder plugin <= 3.21.1 - Broken Access Control vulnerability
References

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Brainstorm Force Ultimate Addons for WPBakery Page Builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Addons for WPBakery Page Builder: from n/a before 3.21.1. Missing Authorization vulnerability in Brainstorm_Force Ultimate Addons for WPBakery Page Builder ultimate_vc_addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Addons for WPBakery Page Builder: from n/a through < 3.21.1.
References

Wed, 01 Apr 2026 11:30:00 +0000

Type Values Removed Values Added
References

Wed, 01 Apr 2026 10:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Brainstorm_Force Ultimate Addons for WPBakery Page Builder ultimate_vc_addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Addons for WPBakery Page Builder: from n/a through <= 3.21.1. Missing Authorization vulnerability in Brainstorm Force Ultimate Addons for WPBakery Page Builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Addons for WPBakery Page Builder: from n/a before 3.21.1.
Title WordPress Ultimate Addons for WPBakery Page Builder plugin <= 3.21.1 - Broken Access Control vulnerability WordPress Ultimate Addons for WPBakery Page Builder plugin < 3.21.1 - Broken Access Control vulnerability
References

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Brainstormforce
Brainstormforce ultimate Addons For Wpbakery Page Builder
Wordpress
Wordpress wordpress
Vendors & Products Brainstormforce
Brainstormforce ultimate Addons For Wpbakery Page Builder
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Brainstorm_Force Ultimate Addons for WPBakery Page Builder ultimate_vc_addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Addons for WPBakery Page Builder: from n/a through <= 3.21.1.
Title WordPress Ultimate Addons for WPBakery Page Builder plugin <= 3.21.1 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Brainstormforce Ultimate Addons For Wpbakery Page Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-09T09:22:37.774Z

Reserved: 2026-02-25T12:13:25.489Z

Link: CVE-2026-28038

cve-icon Vulnrichment

Updated: 2026-03-05T20:47:00.425Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:36.753

Modified: 2026-04-09T10:16:21.317

Link: CVE-2026-28038

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T18:00:15Z

Weaknesses