Description
Subscriber Broken Access Control in Bricks Builder <= 2.1.4 versions.
Published: 2026-06-17
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing authorization check in the Bricks Builder WordPress theme allows a user with a Subscriber role to perform administrative actions normally reserved for higher‑privileged users. This flaw is listed as CWE‑862 and results in the ability to modify theme settings and potentially other site configuration elements that the subscriber normally could not access.

Affected Systems

WordPress sites that are using Bricks Builder theme version 2.1.4 or earlier are affected. The theme developer explicitly lists all releases up to 2.1.4 as impacted. No other WordPress themes or core components are impacted.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity; EPSS data is not available and the vulnerability is not in CISA’s KEV catalog. An attacker must possess a Subscriber account or compromise one through social engineering to trigger the broken access controls. The impact remains confined to the theme’s administrative interface, so the elevated privileges are limited to theme configuration rather than full site control.

Generated by OpenCVE AI on June 18, 2026 at 14:06 UTC.

Remediation

Vendor Solution

Update the WordPress Bricks Builder Theme to the latest available version (at least 2.2).


OpenCVE Recommended Actions

  • Update the Bricks Builder Theme to version 2.2 or newer to eliminate the authorization flaw.
  • Restrict the Subscriber role so it cannot access or modify theme settings, ensuring that only appropriate user roles have administrative capabilities.
  • Monitor site logs and configuration files for unexpected changes originating from low‑privileged user accounts to detect possible exploitation.

Generated by OpenCVE AI on June 18, 2026 at 14:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Bricks
Bricks bricks Builder
Wordpress
Wordpress wordpress
Vendors & Products Bricks
Bricks bricks Builder
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Subscriber Broken Access Control in Bricks Builder <= 2.1.4 versions.
Title WordPress Bricks Builder theme <= 2.1.4 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}


Subscriptions

Bricks Bricks Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T15:28:16.102Z

Reserved: 2026-04-15T09:19:20.453Z

Link: CVE-2026-40723

cve-icon Vulnrichment

Updated: 2026-06-17T15:28:09.771Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T14:15:06Z

Weaknesses