CVE-2026-28038 identifies a missing authorization vulnerability in the Ultimate Addons for WPBakery Page Builder plugin by Brainstorm_Force, affecting all versions up to 3.21.1. The vulnerability arises from improperly configured access control security levels within the plugin's code, specifically in the ultimate_vc_addons component. This misconfiguration allows unauthorized users to bypass intended permission checks, potentially enabling them to execute privileged actions or access restricted data on WordPress sites using this plugin. The vulnerability is classified as an access control flaw, which is critical in web applications as it directly impacts the enforcement of user privileges. Although no public exploits have been reported, the widespread use of WPBakery Page Builder and its addons makes this a significant risk. The lack of a CVSS score indicates that the vulnerability is newly published and not yet fully assessed, but the nature of missing authorization typically implies a high severity due to the potential for privilege escalation or data exposure. The vulnerability affects a broad range of versions, indicating that many sites remain vulnerable until updated. The issue was reserved and published in early 2026, with no patches or mitigations officially released at the time of this report, increasing the urgency for organizations to monitor and apply updates once available.

The missing authorization vulnerability can have severe consequences for organizations running WordPress sites with the Ultimate Addons for WPBakery Page Builder plugin. Exploitation could allow attackers to perform unauthorized actions such as modifying site content, injecting malicious code, accessing sensitive user data, or altering site configurations. This compromises the confidentiality, integrity, and availability of the affected websites. For e-commerce platforms or sites handling personal information, this could lead to data breaches, financial loss, reputational damage, and regulatory penalties. The ease of exploitation depends on the specific access control bypass vectors but generally does not require advanced skills, increasing the risk of widespread attacks. Since the plugin is popular globally, a large number of sites remain exposed, potentially serving as entry points for broader network compromises or supply chain attacks. The absence of known exploits currently provides a window for mitigation, but the risk of future exploitation remains high. Organizations could face operational disruptions and loss of customer trust if the vulnerability is exploited.

Organizations should immediately audit their WordPress installations to identify the use of Ultimate Addons for WPBakery Page Builder, particularly versions up to 3.21.1. Until an official patch is released, administrators should restrict access to WordPress admin areas and plugin management interfaces using network-level controls such as IP whitelisting or VPN access. Implementing strict role-based access controls within WordPress can limit the impact of unauthorized access. Monitoring logs for unusual activity related to plugin endpoints or privilege escalations is critical. Consider disabling or removing the vulnerable plugin if it is not essential to site functionality. Stay informed through vendor advisories and security bulletins for patch releases and apply updates promptly. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the plugin’s endpoints. Regular backups and incident response plans should be in place to recover quickly if exploitation occurs. Additionally, security teams should conduct penetration testing focused on access control mechanisms to identify similar vulnerabilities.