Brainstorm Force

By the Year

In 2026 there have been 8 vulnerabilities in Brainstorm Force with an average score of 5.8 out of ten. Last year, in 2025 Brainstorm Force had 10 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Brainstorm Force in 2026 could surpass last years number. Last year, the average CVE base score was greater by 0.49

Recent Brainstorm Force Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2026-39477	Apr 08, 2026	CartFlows 2.2.3 Auth Bypass via ACL Misconfig Missing Authorization vulnerability in Brainstorm Force CartFlows cartflows allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CartFlows: from n/a through <= 2.2.3.	Cartflows
CVE-2026-39479	Apr 08, 2026	Brainstorm Force OttoKit 1.1.20 and earlier Blind SQLi via suretriggers Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Brainstorm Force OttoKit suretriggers allows Blind SQL Injection.This issue affects OttoKit: from n/a through <= 1.1.20.	Suretriggers
CVE-2026-34889	Apr 01, 2026	XSS in Brainstorm Force Ultimate Addons for WPBakery WP before 3.21.4 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brainstorm Force Ultimate Addons for WPBakery Page Builder allows DOM-Based XSS.This issue affects Ultimate Addons for WPBakery Page Builder: from n/a before 3.21.4.
CVE-2026-32431	Mar 13, 2026	Astra Bulk Edit <=1.2.10 DOM-XSS Vulnerability (CVE-2026-32431) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brainstorm Force Astra Bulk Edit astra-bulk-edit allows DOM-Based XSS.This issue affects Astra Bulk Edit: from n/a through <= 1.2.10.	Astra Bulk Edit
CVE-2026-28038	Mar 05, 2026	Missing Auth in Brainstorm Force UAPB <=3.21.1 Allows Access Exploit Missing Authorization vulnerability in Brainstorm Force Ultimate Addons for WPBakery Page Builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Addons for WPBakery Page Builder: from n/a through 3.21.1.	Ultimatevcaddons
CVE-2026-25316	Feb 19, 2026	CartFlows <=2.1.19 Object Injection via Deserialization Deserialization of Untrusted Data vulnerability in Brainstorm Force CartFlows cartflows allows Object Injection.This issue affects CartFlows: from n/a through <= 2.1.19.	Cartflows
CVE-2026-24982	Feb 03, 2026	Spectra <=2.19.17 Missing Auth Vulnerability Missing Authorization vulnerability in Brainstorm Force Spectra ultimate-addons-for-gutenberg allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spectra: from n/a through <= 2.19.17.	Ultimate Addons For Gutenberg
CVE-2026-24962	Feb 03, 2026	Brainstorm Force Sigmize <=0.0.9 CSRF Vulnerability Cross-Site Request Forgery (CSRF) vulnerability in Brainstorm Force Sigmize sigmize allows Cross Site Request Forgery.This issue affects Sigmize: from n/a through <= 0.0.9.	Sigmize
CVE-2025-68497	Dec 24, 2025	Astra Widgets 1.2.16 Stored XSS in astra-widgets Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brainstorm Force Astra Widgets astra-widgets allows Stored XSS.This issue affects Astra Widgets: from n/a through <= 1.2.16.	Astra Widgets
CVE-2023-23729	Dec 09, 2025	Missing Auth in Brainstorm Force Spectra <=2.3.0 Missing Authorization vulnerability in Brainstorm Force Spectra allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spectra: from n/a through 2.3.0.	Ultimate Addons For Gutenberg
CVE-2025-62059	Nov 06, 2025	Cross-Site Scripting in Brainstorm Force SureRank <=1.3.2 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brainstorm Force SureRank surerank.This issue affects SureRank: from n/a through <= 1.3.2.	Surerank
CVE-2025-48088	Oct 27, 2025	Brainstorm Force Ultimate Addons for WPBakery XSS (Stored) before 3.21.1 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brainstorm Force Ultimate Addons for WPBakery Page Builder allows Stored XSS.This issue affects Ultimate Addons for WPBakery Page Builder: from n/a before 3.21.1.	Ultimatevcaddons
CVE-2025-11814	Oct 16, 2025	Stored XSS in UltimateAddonsWPBakery <=3.21.1 The Ultimate Addons for WPBakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to 3.21.1 (exclusive) due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-27007	May 01, 2025	Brainstorm Force SureTriggers <=1.0.82 Priv Esc via Incorrect Privilege Assignment Incorrect Privilege Assignment vulnerability in Brainstorm Force OttoKit suretriggers allows Privilege Escalation.This issue affects OttoKit: from n/a through <= 1.0.82.	Suretriggers
CVE-2024-12434	Feb 26, 2025	WordPress SureMembers <=1.10.6 Sensitive Info Exposure via REST API The SureMembers plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.10.6 via the REST API. This makes it possible for unauthenticated attackers to extract sensitive data including restricted content.
CVE-2024-13800	Feb 12, 2025	ConvertPlus WP Plugin 3.5.30: AJAX Cap Check Bypass leads to DoS The ConvertPlus plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the 'cp_dismiss_notice' AJAX endpoint in all versions up to, and including, 3.5.30. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update option values to '1' on the WordPress site. This can be leveraged to update an option that would create an error on the site and deny service to legitimate users or be used to set some values to true such as registration.
CVE-2025-24568	Jan 24, 2025	CSRF in Brainstorm Force Starter Templates <=4.4.9 Cross-Site Request Forgery (CSRF) vulnerability in Brainstorm Force Starter Templates astra-sites allows Cross Site Request Forgery.This issue affects Starter Templates: from n/a through <= 4.4.9.	Astra Sites
CVE-2024-56274	Jan 07, 2025	Stored XSS in Brainstorm Force Astra Widgets before v1.2.15 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brainstorm Force Astra Widgets astra-widgets allows Stored XSS.This issue affects Astra Widgets: from n/a through <= 1.2.15.	Astra Widgets
CVE-2024-50439	Oct 28, 2024	Brainstorm Force Astra Widgets XSS (1.2.14) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brainstorm Force Astra Widgets astra-widgets allows Stored XSS.This issue affects Astra Widgets: from n/a through <= 1.2.14.	Astra Widgets
CVE-2024-47345	Oct 06, 2024	XSS in Brainstorm Force Starter Templates <4.4.0 (Stored) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brainstorm Force Starter Templates astra-sites allows Stored XSS.This issue affects Starter Templates: from n/a through <= 4.4.0.	Astra Sites
CVE-2024-7590	Aug 12, 2024	Brainstorm Force Spectra Stored XSS v2.14.1 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brainstorm Force Spectra ultimate-addons-for-gutenberg allows DOM-Based XSS.This issue affects Spectra: from n/a through <= 2.14.1.	Ultimate Addons For Gutenberg
CVE-2024-3827	Aug 02, 2024	Spectra Pro WP Plugin XSS via blockIDs 1.1.4 The Spectra Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via block ids in all versions up to, and including, 1.1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-5253	Jul 17, 2024	XSS in Ultimate Addons for WPBakery upto 3.19.20 via ult_team shortcode The Ultimate Addons for WPBakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ult_team shortcode in all versions up to, and including, 3.19.20 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-5254	Jul 17, 2024	Ultimate Addons WPBakery 3.19.20 Stored XSS in ultimate_info_banner The Ultimate Addons for WPBakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ultimate_info_banner shortcode in all versions up to, and including, 3.19.20 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-5255	Jul 17, 2024	Stored XSS via ultimate_dual_color in Ultimate Addons WPBakery 3.19.20 The Ultimate Addons for WPBakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ultimate_dual_color shortcode in all versions up to, and including, 3.19.20 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-5251	Jul 17, 2024	Stored XSS in Ultimate Addons for WPBakery <=3.19.20 via ultimate_pricing The Ultimate Addons for WPBakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ultimate_pricing shortcode in all versions up to, and including, 3.19.20 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-4838	May 16, 2024	ConvertPlus <3.5.26 PHP Object Injection via settings_encoded The ConvertPlus plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.5.26 via deserialization of untrusted input from the 'settings_encoded' attribute of the 'smile_modal' shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
CVE-2024-3237	May 04, 2024	ConvertPlug WP Plugin: Unauthorized Data Mod via cp_dismiss_notice() 3.5.25 The ConvertPlug plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the cp_dismiss_notice() function in all versions up to, and including, 3.5.25. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary option values to true.