PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45436 Rain-Task Ltd. CVE debrief

A MEDIUM severity vulnerability, CVE-2026-45436, was found in WPBakery Page Builder plugin versions up to 8.7.2. This issue is related to Subscriber Broken Access Control. The vulnerability allows subscribers to perform unauthorized actions, potentially leading to unauthorized access. Users of WPBakery Page Builder plugin versions up to 8.7.2 should apply necessary updates to prevent potential unauthorized access.

Vendor
Rain-Task Ltd.
Product
WPBakery Page Builder
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-17
Original CVE updated
2026-06-17
Advisory published
2026-06-17
Advisory updated
2026-06-17

Who should care

Users of WPBakery Page Builder plugin versions up to 8.7.2, security teams, and operators managing affected deployments should apply updates and review compensating controls. Vulnerability management and platform security teams should prioritize this vulnerability due to its MEDIUM severity and potential impact on subscriber access.

Technical summary

CVE-2026-45436 is a Broken Access Control vulnerability in WPBakery Page Builder plugin versions up to 8.7.2. The CVSS score is 6.5, indicating a MEDIUM severity level. The vulnerability allows subscribers to perform unauthorized actions. Affected product deployments should be reviewed for exposure, and updates should be applied to version 8.7.3 or later.

Defensive priority

Apply updates to WPBakery Page Builder plugin to version 8.7.3 or later. Monitor for any suspicious activity related to subscriber access. Review and restrict subscriber permissions to prevent unauthorized actions.

Recommended defensive actions

  • Apply updates to WPBakery Page Builder plugin to version 8.7.3 or later.
  • Monitor for any suspicious activity related to subscriber access.
  • Review and restrict subscriber permissions to prevent unauthorized actions.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.

Evidence notes

The CVE record was published on 2026-06-17T13:20:40.863Z and last modified on 2026-06-17T17:17:01.023Z. The NVD entry is currently Deferred. The vulnerability affects WPBakery Page Builder plugin versions up to 8.7.2. Evidence is based on CVE.org and NVD details. Defenders should verify affected deployments and review official advisories.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-17T13:20:40.863Z and has not been modified since then. The NVD entry is currently Deferred.