Themify Builder <= 7.6.5 - Reflected Cross-Site Scripting
Description
Reflected XSS vulnerability in Themify Builder plugin up to 7.6.5 allows unauthenticated attackers to inject arbitrary scripts via a crafted link.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS vulnerability in Themify Builder plugin up to 7.6.5 allows unauthenticated attackers to inject arbitrary scripts via a crafted link.
Vulnerability
The Themify Builder plugin for WordPress versions up to and including 7.6.5 is vulnerable to Reflected Cross-Site Scripting due to improper escaping of the URL when using add_query_arg. This allows unauthenticated attackers to inject arbitrary web scripts [1].
Exploitation
An attacker can craft a malicious link containing a payload and trick a logged-in user into clicking it. No authentication is required for the attacker, and the link can be distributed via email, social media, or other means. The victim must be logged into WordPress for the payload to execute in the context of their session.
Impact
Successful exploitation results in arbitrary script execution in the victim's browser, potentially leading to session hijacking, data theft, or website defacement. The attack is reflected, so the payload does not persist on the server.
Mitigation
The issue is fixed in version 7.7.3 [1]. Users should update to this version or later. No workarounds are provided. The plugin is not listed on the CISA KEV.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <= 7.6.5
Patches
1r3224684Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.