๐Ÿ” CVE Alert

CVE-2026-15407

MEDIUM 4.3

Themify Builder <= 7.7.7 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Stylesheet Write/Delete via tb_generate_on_fly AJAX Action

CVSS Score
4.3
EPSS Score
0.0%
EPSS Percentile
0th

The Themify Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 7.7.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to overwrite or delete the generated CSS stylesheet file of arbitrary posts, including private and draft posts owned by other users, and modify plugin-scoped font options. The required CSRF nonce (tf_nonce) is emitted on public front-end builder pages via wp_localize_script, making it trivially obtainable by any authenticated user visiting such a page.

CWE CWE-862
Vendor themifyme
Product themify builder
Published Jul 16, 2026
Stay Ahead of the Next One

Get instant alerts for themifyme themify builder

Be the first to know when new medium vulnerabilities affecting themifyme themify builder are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

themifyme / Themify Builder
0 โ‰ค 7.7.7

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/b59e2773-31f0-4c19-b066-30982761bc44?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/themify-builder/tags/7.7.5/classes/class-themify-builder-stylesheet.php#L160 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/themify-builder/tags/7.7.7/classes/class-themify-builder-stylesheet.php#L160 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/themify-builder/tags/7.7.7/classes/class-themify-builder-stylesheet.php#L17 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/themify-builder/tags/7.7.7/classes/class-themify-builder-stylesheet.php#L313 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/themify-builder/tags/7.7.7/classes/class-themify-builder-stylesheet.php#L69 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/themify-builder/tags/7.7.5/classes/class-themify-builder-stylesheet.php#L17 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/themify-builder/tags/7.7.5/classes/class-themify-builder-stylesheet.php#L313 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/themify-builder/tags/7.7.5/classes/class-themify-builder-stylesheet.php#L69 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset?reponame=&old=3607906%40themify-builder&new=3607906%40themify-builder

Credits

PRISM