CVE-2026-34889

Vulnerability

Overview

CVE-2026-34889 is a DOM-Based Cross-Site Scripting (XSS) vulnerability in the Brainstorm Force Ultimate Addons for WPBakery Page Builder plugin for WordPress. The root cause is Improper Neutralization of Input During Web Page Generation, which allows an attacker to inject arbitrary JavaScript into the DOM of a victim's browser when a privileged user interacts with a crafted link or page [1].

Exploitation

Exploitation requires user interaction, such as clicking a malicious link or visiting a specially crafted page. The attack is initiated by a privileged user (e.g., an administrator), though no authentication is needed for the initial injection vector. The vulnerability is DOM-based, meaning the payload executes in the browser after the page loads, bypassing server-side sanitization [1].

Impact

Successful exploitation enables an attacker to inject malicious scripts that can perform actions like redirects, display advertisements, or steal session tokens, leading to privilege escalation or complete site compromise. This vulnerability has been flagged for use in mass-exploit campaigns, targeting thousands of websites regardless of size or popularity [1].

Mitigation

The vulnerability is fixed in version 3.21.4 of the plugin. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. If an immediate update is not possible, contact your hosting provider or developer for assistance. The CVSS v3 base score is 6.5 (Medium), and while the vendor considers exploitation unlikely, active mass-exploit campaigns have been observed [1].