CVE-2026-15407 in Themify Builder Pluginالمعلومات

الملخص

بحسب MITRE • 16/07/2026

The Themify Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 7.7.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to overwrite or delete the generated CSS stylesheet file of arbitrary posts, including private and draft posts owned by other users, and modify plugin-scoped font options. The required CSRF nonce (tf_nonce) is emitted on public front-end builder pages via wp_localize_script, making it trivially obtainable by any authenticated user visiting such a page.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

مسؤول

Wordfence

حجز

10/07/2026

إفشاء

16/07/2026

الاعتدال

تمت الموافقة

إدخال

VDB-379501

EPSS

0.00000

KEV

لا

النشاطات

منخفض جدًا

القطاع

Hostingprovider

المصادر

Want to stay up to date on a daily basis?

Enable the mail alert feature now!