Bricks Builder Flaw: CVE-2026-41554 Exposes Websites to Reflected XSS

/HIGH /CVSS 7.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycross-site-scripting-xsscwe-79
Bricks Builder Flaw: CVE-2026-41554 Exposes Websites to Reflected XSS

The National Vulnerability Database has identified a significant Cross-site Scripting (XSS) vulnerability, CVE-2026-41554, within the Bricks Builder WordPress plugin. This flaw, rated HIGH with a CVSS score of 7.1, specifically allows for Reflected XSS attacks. The vulnerability stems from improper neutralization of input during web page generation, meaning malicious scripts can be injected and immediately reflected back to the user’s browser.

This exploit impacts users running Bricks Builder versions from the initial release up to and including 2.2, provided they have not patched beyond version 1.9.2. The nature of Reflected XSS means attackers can trick users into clicking malicious links, leading to the execution of arbitrary scripts within the victim’s browser session. This could result in session hijacking, data theft, or redirection to phishing sites.

Defenders should prioritize patching Bricks Builder installations immediately. For those unable to patch promptly, implementing robust Web Application Firewall (WAF) rules to detect and block common XSS payloads is a crucial mitigation. Auditing website logs for suspicious GET or POST requests containing script-like characters can also help identify potential exploitation attempts.

What This Means For You

  • If your organization uses Bricks Builder for WordPress, you must immediately update to a patched version. Failure to do so leaves your website and its users vulnerable to session hijacking and credential theft via reflected XSS attacks.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1566.002 Phishing: Spearphishing Link Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

CVE-2026-41554 - Bricks Builder Reflected XSS via 'bricks_element_render_shortcode'

Sigma YAML — free preview 
title: CVE-2026-41554 - Bricks Builder Reflected XSS via 'bricks_element_render_shortcode'
id: scw-2026-05-07-ai-1
status: experimental
level: high
description: |
  This rule detects a reflected Cross-Site Scripting (XSS) attack targeting Bricks Builder, specifically exploiting CVE-2026-41554. The attack leverages the 'bricks_element_render_shortcode' parameter in the URI query to inject a JavaScript payload, such as '<script>alert(String.fromCharCode(88,83,83))</script>', which is then reflected back to the user's browser. This is a primary indicator of exploitation for this vulnerability.
author: SCW Feed Engine (AI-generated)
date: 2026-05-07
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-41554/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri-query|contains:
          - 'bricks_element_render_shortcode'
      cs-uri-query|contains:
          - '<script>alert(String.fromCharCode(88,83,83))</script>'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-41554 Vulnerability CVE-2026-41554

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 07, 2026 at 17:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-44264 — Weblate is a web based localization tool. Prior to version

CVE-2026-44264 — Weblate is a web based localization tool. Prior to version 5.17.1, the Markdown renderer used in user comments and other user-provided content didn't...

vulnerabilityCVEmedium-severitycwe-80
/SCW Vulnerability Desk /MEDIUM /4.3 /⚑ 2 IOCs

CVE-2026-44263 — Weblate is a web based localization tool. Prior to version

CVE-2026-44263 — Weblate is a web based localization tool. Prior to version 5.17.1, the screenshots, tasks, and component link API allowed for the enumeration of...

vulnerabilityCVEmedium-severitycwe-203
/SCW Vulnerability Desk /MEDIUM /4.3 /⚑ 2 IOCs /⚙ 6 Sigma

gnutls CVE-2026-42011: Certificate Validation Bypass Poses MITM Risk

CVE-2026-42011 — A flaw was found in gnutls. This vulnerability occurs because permitted name constraints were incorrectly ignored when previous Certificate Authorities (CAs) only had...

vulnerabilityCVEhigh-severitycwe-295
/SCW Vulnerability Desk /HIGH /7.4 /⚑ 2 IOCs