Builderall for WordPress <= 3.0.1 – Authenticated (Contributor+) Remote Code Execution | CVE 2026-22390

Affects Plugins

builderall-cheetah-for-wp

No known fix

References

CVE

CVE-2026-22390

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/3f92c416-8e95-4097-9f16-e1f9389b2334

Classification

Type

RCE

OWASP top 10

A1: Injection

CWE

CWE-94

CVSS

7.2 (High)

Miscellaneous

Original Researcher

Doan Dinh Van (DinhVan52)

Verified

No

WPVDB ID

bdcd986c-b322-4cc7-97ab-f4736be60c96

Timeline

Publicly Published

2026-02-25 (about 1 month ago)

Added

2026-03-05 (about 30 days ago)

Last Updated

2026-03-05 (about 30 days ago)

Other

Published

Title

Published

2014-08-01

Title

GeoPlaces - File Upload H&ling Remote Comm& Execution

Published

2024-05-15

Title

Advanced Custom Fields Pro < 6.2.10 - Authenticated (Contributor+) Code Injection

Published

2025-07-21

Title

Nginx Cache Purge Preload < 2.1.3 - Authenticated (Administrator+) Remote Code Execution

Published

2025-02-20

Title

Head, Footer and Post Injections < 3.3.1 - Authenticated (Administrator+) PHP Code Injection in Multisite Environments

Published

2023-10-12

Title

Nexter Extension < 2.0.4 - Authenticated(Editor+) Remote Code Execution via metabox