What the vulnerability does
01Description
Improper Control of Generation of Code ('Code Injection') vulnerability in Builderall Builderall Builder for WordPress builderall-cheetah-for-wp allows Code Injection.This issue affects Builderall Builder for WordPress: from n/a through <= 3.0.1.
Explanation of Vulnerability in Simple Terms
02Summary
The Builderall Builder plugin for WordPress versions 3.0.1 and earlier allows authenticated users with low privileges to inject and execute arbitrary PHP code on the site. The vulnerability stems from insufficient input validation in code processing functions. An attacker with a low-privilege account can run their own code with full site access, including reading the database and modifying content.
What an attacker can do
03Attacker Capabilities
Run arbitrary PHP code on the site with full administrative capabilities.
Potential impact on your site
04Site Impact
Complete site compromise: attacker can steal data, modify content, create admin accounts, or deface the site.
Conditions required to exploit
05Prerequisites
Attacker needs a low-privilege WordPress user account (subscriber or contributor level).
Key dates
06Disclosure timeline
March 5, 2026
CVE published
April 28, 2026
Record updated