CVE-2026-28038 is a medium-severity authorization issue (CVSS 4.3) affecting Ultimate Addons for WPBakery Page Builder (slug: Ultimate_VC_Addons) in versions up to and including 3.21.1. According to the published advisory, the plugin lacks a required capability check on a function, which can allow authenticated users (subscriber level and above) to perform an unauthorized action. More details: CVE record and Wordfence advisory.

Attack Vectors

The primary risk comes from any WordPress site where users can authenticate with low-privilege roles (for example, subscriber accounts created via newsletters, event registrations, partner portals, customer logins, or any form of “create an account” feature).

An attacker does not need admin access to begin. If they can obtain or create a basic authenticated account (subscriber or above), they may be able to trigger the affected plugin function and complete an action they should not be permitted to do.

Security Weakness

This vulnerability is described as a missing authorization (capability) check within Ultimate Addons for WPBakery Page Builder (through 3.21.1). In business terms, it means the software may fail to properly confirm “who is allowed to do what” before carrying out a sensitive operation.

Because this is an access-control flaw, it is especially relevant for sites that intentionally allow many users to register and log in—common in marketing programs, gated content, memberships, and customer communities.

Remediation status: there is no known patch available at this time. Organizations should review the advisory and choose mitigations based on risk tolerance; in many cases, uninstalling the affected plugin and replacing it is the safest route.

Technical or Business Impacts

While the published summary does not specify the exact unauthorized action, missing-authorization issues typically increase the likelihood of unwanted changes being made by low-privilege accounts. This can translate into operational disruption (unexpected site behavior), brand risk (unapproved content changes), and increased support load while teams investigate and recover.

From a leadership and compliance standpoint, the key business concern is that the control boundary between “basic user” and “trusted user” may be weaker than expected. That can undermine internal governance, change control, and audit expectations—especially on sites that support campaigns, lead capture, regulated content, or customer communications.

Practical mitigations to consider immediately (given no patch): uninstall/replace the plugin if feasible; reduce or disable public registration where possible; tighten role assignments (least privilege); review and prune subscriber/user lists; add additional monitoring for unexpected changes; and consider a web application firewall and alerting to flag unusual authenticated activity patterns.

Similar Attacks

Authorization failures (“broken access control”) are a common root cause of real-world incidents. Examples include:

Facebook “View As” security issue (2018) — a vulnerability that enabled attackers to obtain access tokens, illustrating how access-control gaps can lead to unauthorized account-level actions at scale.
Panera Bread data exposure via insecure access controls (reported 2018) — an example of how insufficient authorization checks in web applications can expose or enable access to data beyond what a user should see.