Cyber Resilience

CVE-2026-22390

CriticalRCE

Published: 05 March 2026

Published
05 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0047 37.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-22390 is a critical-severity Code Injection (CWE-94) vulnerability. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-22390 is an Improper Control of Generation of Code ('Code Injection') vulnerability, classified under CWE-94, in the Builderall Builder for WordPress plugin (builderall-cheetah-for-wp). This issue affects versions from n/a through 3.0.1 and was published on 2026-03-05.

The vulnerability carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating critical severity. Low-privileged authenticated users can exploit it remotely with low complexity and no user interaction, achieving remote code execution due to the changed scope and high impacts on confidentiality, integrity, and availability.

The Patchstack advisory provides details on this remote code execution vulnerability in Builderall Builder for WordPress plugin version 3.0.1, available at https://patchstack.com/database/Wordpress/Plugin/builderall-cheetah-for-wp/vulnerability/wordpress-builderall-builder-for-wordpress-plugin-3-0-1-remote-code-execution-rce-vulnerability?_s_id=cve.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Improper Control of Generation of Code ('Code Injection') vulnerability in Builderall Builderall Builder for WordPress builderall-cheetah-for-wp allows Code Injection.This issue affects Builderall Builder for WordPress: from n/a through <= 3.0.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Code injection vulnerability in public-facing WordPress plugin directly enables remote code execution (RCE) by low-privileged authenticated attackers.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-41229Shared CWE-94
CVE-2026-44262Shared CWE-94
CVE-2026-40563Shared CWE-94
CVE-2024-32641Shared CWE-94
CVE-2025-71243Shared CWE-94
CVE-2026-2052Shared CWE-94
CVE-2026-9170Shared CWE-94
CVE-2025-54451Shared CWE-94
CVE-2025-50692Shared CWE-94
CVE-2025-22204Shared CWE-94

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates code injection by requiring validation of user inputs to the WordPress plugin, preventing malicious code execution.

prevent

Requires timely remediation of the specific code injection flaw in the Builderall plugin through patching to version beyond 3.0.1.

prevent

Controls installation and execution of vulnerable user-installed software like the Builderall WordPress plugin, preventing deployment of the affected component.

References