CVE-2026-15407 in Themify Builder Plugin
Summary
by MITRE • 07/16/2026
The Themify Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 7.7.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to overwrite or delete the generated CSS stylesheet file of arbitrary posts, including private and draft posts owned by other users, and modify plugin-scoped font options. The required CSRF nonce (tf_nonce) is emitted on public front-end builder pages via wp_localize_script, making it trivially obtainable by any authenticated user visiting such a page.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/16/2026
The Themify Builder plugin for WordPress presents a critical authorization bypass vulnerability that affects all versions up to and including 7.7.7, creating a significant security risk for WordPress installations. This vulnerability stems from inadequate user authentication verification mechanisms within the plugin's core functionality, specifically in how it handles access control for sensitive operations. The flaw allows authenticated attackers who possess subscriber-level privileges or higher to perform unauthorized actions that should typically be restricted to administrators or content owners.
The technical implementation of this vulnerability involves the improper handling of CSRF protection mechanisms within the plugin's front-end builder interface. The tf_nonce value required for validating requests is being exposed through wp_localize_script function on public-facing front-end pages, making it easily accessible to any authenticated user who visits these pages. This exposure eliminates the effectiveness of the CSRF protection, as the nonce can be trivially obtained by any legitimate user with access to the site's front-end interface. The vulnerability specifically impacts operations related to CSS stylesheet generation and font option modifications, which are typically restricted to authorized users.
The operational impact of this vulnerability extends beyond simple privilege escalation, as it enables attackers to manipulate content that belongs to other users. Authenticated attackers can overwrite or delete generated CSS stylesheet files for arbitrary posts, including private and draft posts owned by different users, effectively compromising the integrity and confidentiality of user-generated content. Additionally, the ability to modify plugin-scoped font options provides attackers with further means of data manipulation and potential disruption of website functionality. This vulnerability is particularly dangerous because it allows for cross-user operations without proper authorization checks.
This vulnerability maps directly to CWE-863, which addresses "Incorrect Authorization," and aligns with ATT&CK technique T1078.004 for Valid Accounts, as it exploits legitimate user credentials to perform unauthorized actions. The flaw represents a fundamental breakdown in the principle of least privilege, where the plugin fails to enforce proper access controls even when users have valid authentication tokens. Security practitioners should note that this issue affects not just individual user accounts but potentially compromises entire website content integrity through unauthorized modifications to CSS and font settings.
The recommended mitigations include immediate upgrading to a patched version of the Themify Builder plugin, as the vulnerability exists in all versions up to 7.7.7. Organizations should implement additional monitoring for unauthorized file modification activities and consider implementing network-level restrictions on the plugin's API endpoints. Regular security audits of WordPress plugins should be conducted to identify similar authorization bypass issues, and administrators should ensure that only trusted users have subscriber-level access or higher. Additionally, the wp_localize_script function should be carefully reviewed in custom implementations to prevent accidental exposure of sensitive tokens or nonces to unauthorized users.