Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bricks Builder allows Reflected XSS.

This issue affects Bricks Builder: from n/a through 1.9.2 to 2.2.
Published: 2026-05-07
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a Reflected Cross‑Site Scripting flaw caused by improper neutralization of input during web page generation, as identified under CWE‑79. When an attacker supplies a crafted query string or form value that is not properly sanitized, the input is reflected directly into the page’s HTML output, allowing the attacker to inject and execute arbitrary JavaScript in the context of users who view the affected page. Such injected code can steal cookies, session identifiers, or perform phishing attacks on visitors.

Affected Systems

The flaw exists in the Bricks Builder WordPress theme for all releases from the earliest identifiers through versions 1.9.2 up to 2.2. Administrators running any of these versions of Bricks Builder are affected.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.1, indicating high severity. EPSS data is not available, so the current exploitation probability cannot be quantified, but the lack of presence in KEV suggests no known large‑scale exploits yet. Attackers could trigger the vulnerability with a simple crafted URL or form input visited by a user; local privilege is not required. Consequently, the risk is moderate‑high for sites with publicly accessible pages that may echo user input.

Generated by OpenCVE AI on May 7, 2026 at 14:50 UTC.

Remediation

Vendor Solution

Update the WordPress Bricks Builder Theme to the latest available version (at least 2.3).

OpenCVE Recommended Actions

  • Update the Bricks Builder theme to version 2.3 or later, which removes the reflected XSS flaw.
  • If an immediate update is not possible, disable the Bricks Builder theme or restrict access to the vulnerable pages until the patch is applied.
  • Review and tighten input validation for any custom fields or code added by users, ensuring that output is properly escaped according to the guidance for CWE‑79.

Generated by OpenCVE AI on May 7, 2026 at 14:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Bricks
Bricks bricks Builder
Wordpress
Wordpress wordpress
Vendors & Products Bricks
Bricks bricks Builder
Wordpress
Wordpress wordpress

Thu, 07 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bricks Builder allows Reflected XSS. This issue affects Bricks Builder: from n/a through 1.9.2 to 2.2.
Title WordPress Bricks Builder theme 1.9.2-2.2 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Bricks Bricks Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-07T15:56:58.903Z

Reserved: 2026-04-21T12:35:51.611Z

Link: CVE-2026-41554

cve-icon Vulnrichment

Updated: 2026-05-07T15:56:46.653Z

cve-icon NVD

Status : Deferred

Published: 2026-05-07T14:16:02.710

Modified: 2026-05-07T14:56:14.870

Link: CVE-2026-41554

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T21:24:42Z

Weaknesses