{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34889", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-31T09:57:17.719Z", "datePublished": "2026-04-01T08:51:32.192Z", "dateUpdated": "2026-04-01T13:29:40.506Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-01T08:51:32.192Z"}, "title": "WordPress Ultimate Addons for WPBakery Page Builder plugin < 3.21.4 - Cross Site Scripting (XSS) vulnerability", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-588", "descriptions": [{"lang": "en", "value": "CAPEC-588 DOM-Based XSS"}]}], "affected": [{"vendor": "Brainstorm Force", "product": "Ultimate Addons for WPBakery Page Builder", "versions": [{"status": "affected", "version": "n/a", "lessThan": "3.21.4", "changes": [{"at": "3.21.4", "status": "unaffected"}], "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brainstorm Force Ultimate Addons for WPBakery Page Builder allows DOM-Based XSS.This issue affects Ultimate Addons for WPBakery Page Builder: from n/a before 3.21.4.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brainstorm Force Ultimate Addons for WPBakery Page Builder allows DOM-Based XSS.<p>This issue affects Ultimate Addons for WPBakery Page Builder: from n/a before 3.21.4.</p>"}]}], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/ultimate_vc_addons/vulnerability/wordpress-ultimate-addons-for-wpbakery-page-builder-plugin-3-21-4-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseSeverity": "MEDIUM", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L"}}], "solutions": [{"lang": "en", "value": "Update the WordPress Ultimate Addons for WPBakery Page Builder Plugin to the latest available version (at least 3.21.4).", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Update the WordPress Ultimate Addons for WPBakery Page Builder Plugin to the latest available version (at least 3.21.4)."}]}], "credits": [{"lang": "en", "value": "Bonds | Patchstack Bug Bounty Program", "user": "00000000-0000-4000-9000-000000000000", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T13:27:06.226622Z", "id": "CVE-2026-34889", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T13:29:40.506Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34889", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-01T13:27:06.226622Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T13:29:29.911Z"}}], "cna": {"title": "WordPress Ultimate Addons for WPBakery Page Builder plugin < 3.21.4 - Cross Site Scripting (XSS) vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Bonds | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-588", "descriptions": [{"lang": "en", "value": "CAPEC-588 DOM-Based XSS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Brainstorm Force", "product": "Ultimate Addons for WPBakery Page Builder", "versions": [{"status": "affected", "changes": [{"at": "3.21.4", "status": "unaffected"}], "version": "n/a", "lessThan": "3.21.4", "versionType": "custom"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update the WordPress Ultimate Addons for WPBakery Page Builder Plugin to the latest available version (at least 3.21.4).", "supportingMedia": [{"type": "text/html", "value": "Update the WordPress Ultimate Addons for WPBakery Page Builder Plugin to the latest available version (at least 3.21.4).", "base64": false}]}], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/ultimate_vc_addons/vulnerability/wordpress-ultimate-addons-for-wpbakery-page-builder-plugin-3-21-4-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brainstorm Force Ultimate Addons for WPBakery Page Builder allows DOM-Based XSS.This issue affects Ultimate Addons for WPBakery Page Builder: from n/a before 3.21.4.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brainstorm Force Ultimate Addons for WPBakery Page Builder allows DOM-Based XSS.<p>This issue affects Ultimate Addons for WPBakery Page Builder: from n/a before 3.21.4.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-01T08:51:32.192Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34889", "state": "PUBLISHED", "dateUpdated": "2026-04-01T13:29:40.506Z", "dateReserved": "2026-03-31T09:57:17.719Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-01T08:51:32.192Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brainstorm Force Ultimate Addons for WPBakery Page Builder allows DOM-Based XSS.This issue affects Ultimate Addons for WPBakery Page Builder: from n/a before 3.21.4."}], "id": "CVE-2026-34889", "lastModified": "2026-04-01T14:23:37.727", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 3.7, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-04-01T09:16:17.457", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/wordpress/plugin/ultimate_vc_addons/vulnerability/wordpress-ultimate-addons-for-wpbakery-page-builder-plugin-3-21-4-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.21.4)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "matching", "scores": [{"score": 99.0, "source": "matching"}]}, "original": {"product": "Ultimate Addons for WPBakery Page Builder", "source": "cna", "vendor": "Brainstorm Force"}, "product": "ultimate_addons_for_wpbakery_page_builder", "vendor": "brainstormforce"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-01T10:51:19.678802+00:00", "value": {"mitigation_remediation": ["Update the Ultimate Addons for WPBakery Page Builder plugin to version 3.21.4 or later."], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress sites that run the Brainstorm Force Ultimate Addons for WPBakery Page Builder plugin in any version prior to 3.21.4 are affected.", "description_and_impact": "The vulnerability is a DOM\u2011based Cross\u2011site Scripting flaw caused by improper neutralization of input during web page generation in the Ultimate Addons for WPBakery Page Builder plugin. It allows an attacker to inject malicious scripts that are executed in a victim\u2019s browser when the affected content is viewed.", "risk_and_exploitability": "The CVSS base score is 6.5, which is considered medium severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the exploit is likely feasible through the plugin\u2019s input handling on the front\u2011end; authentication requirements are not specified, so the vulnerability could potentially be triggered by any user that can submit content to the plugin."}}}}, "created": "2026-04-02T07:49:31.641636+00:00", "updated": "2026-04-02T20:17:47.606005+00:00", "vendors": ["brainstormforce", "brainstormforce$PRODUCT$ultimate_addons_for_wpbakery_page_builder", "wordpress", "wordpress$PRODUCT$wordpress"]}