CVE-2026-15096 in Map Module
Summary
by MITRE • 07/11/2026
The Themify Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Map Module 'b_width_map' Field in all versions up to, and including, 7.7.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/11/2026
The Themify Builder plugin represents a widely used visual page building solution for WordPress environments, enabling users to create complex layouts through drag-and-drop interfaces. This particular vulnerability exists within the Map Module functionality where the 'b_width_map' field fails to properly sanitize user input before processing. The flaw affects all versions up to and including 7.7.6, creating a persistent security risk that can be exploited by attackers who have already gained contributor-level access or higher permissions within the WordPress installation.
The technical nature of this vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's codebase. When an authenticated attacker with contributor privileges or above submits malicious content through the 'b_width_map' field, the system fails to properly validate or sanitize the input before storing it in the database. This stored data then gets executed whenever any user accesses pages containing the injected content, creating a classic stored cross-site scripting scenario that operates without requiring additional user interaction beyond the initial exploitation.
The operational impact of this vulnerability extends beyond simple script execution as it allows attackers to perform various malicious activities through the compromised WordPress environment. Authorized users with access to the Map Module can inject scripts that may steal session cookies, redirect users to malicious sites, deface pages, or establish persistent backdoors within the WordPress installation. The privilege escalation aspect means that even users with relatively low permissions can leverage this vulnerability to compromise the entire site's security posture.
This vulnerability aligns with CWE-79 which specifically addresses Cross-Site Scripting flaws in software applications, and it maps directly to ATT&CK technique T1548.003 which covers Abuse of Cloud Infrastructure for persistence and privilege escalation. The attack vector specifically targets authenticated users who can modify page content through the WordPress admin interface, making it particularly dangerous in environments where multiple contributors have access to the site's builder functionality.
Mitigation strategies should begin with immediate patching of the plugin to version 7.7.7 or later, which contains the necessary input sanitization fixes. Administrators should implement additional security measures including role-based access controls that restrict contributor-level users from modifying critical page elements where possible. Input validation should be strengthened at multiple levels within the application, and output escaping should be enforced consistently throughout the plugin's codebase. Regular security audits of third-party plugins and monitoring for unusual content modifications can help detect exploitation attempts before they cause significant damage to the WordPress installation.