Plattform
wordpress
Komponente
builderall-cheetah-for-wp
Behoben in
3.0.2
CVE-2026-22390 describes a Remote Code Execution (RCE) vulnerability within the Builderall Builder for WordPress plugin. This flaw allows attackers to inject malicious code, potentially granting them complete control over a WordPress site. The vulnerability impacts versions from 0.0.0 up to and including 3.0.1, and a fix is pending release from the vendor.
The impact of this RCE vulnerability is severe. A successful exploit allows an attacker to execute arbitrary code on the server hosting the WordPress site. This could lead to complete compromise of the website, including data exfiltration, defacement, and the installation of malware. Attackers could leverage this to gain access to sensitive user data, database credentials, and other critical information. The potential for lateral movement within the network is significant if the server has access to other systems. Given the plugin's functionality, attackers could also inject malicious code into the website's content, affecting all visitors.
CVE-2026-22390 was publicly disclosed on 2026-03-05. The vulnerability's CRITICAL CVSS score indicates a high probability of exploitation. Public proof-of-concept (PoC) code is likely to emerge, increasing the risk. The vulnerability is not currently listed on CISA KEV, but its severity warrants close monitoring. Active campaigns targeting WordPress plugins are common, so this vulnerability is a likely target.
Organizations using the Builderall Builder for WordPress plugin, particularly those with older versions (0.0.0 - 3.0.1), are at significant risk. Shared hosting environments are especially vulnerable, as a compromised plugin on one site could potentially impact other sites on the same server.
• wordpress / composer / npm:
grep -r "builderall-cheetah-for-wp" /var/www/html/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/builderall-cheetah-for-wp/ | grep -i 'builderall'disclosure
Exploit-Status
EPSS
0.05% (16% Perzentil)
CISA SSVC
CVSS-Vektor
Due to the lack of a fixed version, immediate mitigation is crucial. Implement strict input validation on all user-supplied data within the Builderall Builder for WordPress plugin. Configure a Web Application Firewall (WAF) to block suspicious requests and payloads known to exploit code injection vulnerabilities. Regularly scan the WordPress installation for malicious files and code. Monitor server logs for unusual activity, particularly attempts to execute arbitrary commands. While a patch is pending, these workarounds can significantly reduce the risk of exploitation. After implementing these measures, verify their effectiveness by attempting to trigger the vulnerability with a safe test payload.
Kein bekannter Patch verfügbar. Bitte überprüfen Sie die Details der Schwachstelle eingehend und setzen Sie Schutzmaßnahmen basierend auf der Risikobereitschaft Ihrer Organisation um. Es kann am besten sein, die betroffene Software zu deinstallieren und eine Alternative zu finden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-22390 is a critical Remote Code Execution vulnerability in the Builderall Builder for WordPress plugin, allowing attackers to execute arbitrary code on the server.
You are affected if you are using Builderall Builder for WordPress versions 0.0.0 through 3.0.1. Check your plugin version immediately.
Upgrade to the latest patched version of the Builderall Builder for WordPress plugin as soon as it becomes available. Monitor Builderall's website for updates.
As of the disclosure date, there is no confirmed active exploitation, but the CRITICAL severity suggests a high likelihood if a PoC is released.
Check the official Builderall website and security advisory pages for updates and information regarding CVE-2026-22390.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.