CVE-2026-22390
Published: 05 March 2026
Summary
CVE-2026-22390 is a critical-severity Code Injection (CWE-94) vulnerability. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-22390 is an Improper Control of Generation of Code ('Code Injection') vulnerability, classified under CWE-94, in the Builderall Builder for WordPress plugin (builderall-cheetah-for-wp). This issue affects versions from n/a through 3.0.1 and was published on 2026-03-05.
The vulnerability carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating critical severity. Low-privileged authenticated users can exploit it remotely with low complexity and no user interaction, achieving remote code execution due to the changed scope and high impacts on confidentiality, integrity, and availability.
The Patchstack advisory provides details on this remote code execution vulnerability in Builderall Builder for WordPress plugin version 3.0.1, available at https://patchstack.com/database/Wordpress/Plugin/builderall-cheetah-for-wp/vulnerability/wordpress-builderall-builder-for-wordpress-plugin-3-0-1-remote-code-execution-rce-vulnerability?_s_id=cve.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9531
Vulnerability details
Improper Control of Generation of Code ('Code Injection') vulnerability in Builderall Builderall Builder for WordPress builderall-cheetah-for-wp allows Code Injection.This issue affects Builderall Builder for WordPress: from n/a through <= 3.0.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Code injection vulnerability in public-facing WordPress plugin directly enables remote code execution (RCE) by low-privileged authenticated attackers.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates code injection by requiring validation of user inputs to the WordPress plugin, preventing malicious code execution.
Requires timely remediation of the specific code injection flaw in the Builderall plugin through patching to version beyond 3.0.1.
Controls installation and execution of vulnerable user-installed software like the Builderall WordPress plugin, preventing deployment of the affected component.