CVE-2026-28038

Vulnerability

Overview

The plugin Ultimate Addons for WPBakery Page Builder (plugin slug: ultimate_vc_addons) suffers from a missing authorization vulnerability affecting versions from n/a through 3.21.1. The root cause is an incorrectly configured access control security level, which means certain functions or API endpoints lack proper authorization checks, allowing unauthorized action execution [1].

Exploitation

Details

Attackers can exploit this vulnerability without requiring authentication. The broken access control mechanism enables unprivileged users with lower privileges — or even unauthenticated visitors — to perform actions that should be restricted to higher-privileged roles such as administrators. This type of vulnerability is frequently used in mass-exploit campaigns, targeting thousands of WordPress sites regardless of size or popularity [1].

Impact

Successful exploitation could lead to unauthorized modification of plugin settings, content injection, or other administrative actions that compromise the site's integrity. The CVSS score of 6.5 (Medium) reflects the potential for significant impact with low attack complexity [1].

Mitigation

The vendor has released version 3.21.2 which resolves the issue. Users are strongly advised to update immediately. If updating to this patched version immediately. For those unable to update, applying available mitigation rules (e.g., from Patchstack) can block exploitation attempts until the update is applied [1].