CVE-2025-62990

2025-12-31 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 13:15 nvd
N/A

Tags

WordPress PHP XSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in livemesh Livemesh Addons for Beaver Builder addons-for-beaver-builder allows Stored XSS.This issue affects Livemesh Addons for Beaver Builder: from n/a through <= 3.9.2.

Analysis

Stored cross-site scripting (XSS) vulnerability in Livemesh Addons for Beaver Builder WordPress plugin versions 3.9.2 and earlier allows attackers to inject malicious scripts into web pages that execute in the browsers of site visitors. The vulnerability stems from improper input sanitization during web page generation, enabling authenticated or privileged users to store malicious payloads that persist in the plugin's content. With an EPSS score of 0.04% (14th percentile), real-world exploitation likelihood is minimal, though the stored nature of the XSS means injected content could affect multiple end users if compromised.

Technical Context

The vulnerability is a Stored XSS (CWE-79: Improper Neutralization of Input During Web Page Generation) in the Livemesh Addons for Beaver Builder WordPress plugin, which extends the Beaver Builder page builder with additional content blocks and design elements. Beaver Builder is a popular WordPress visual page builder that allows users to create custom page layouts through a drag-and-drop interface. The underlying issue is that user-supplied input intended for display within dynamically generated web pages is not properly escaped or sanitized before being rendered in the DOM, allowing script tags and event handlers to execute. This affects the plugin's content generation pipeline where user input from form fields or settings is directly output without context-appropriate encoding (such as HTML entity encoding for display contexts).

Affected Products

Livemesh Addons for Beaver Builder WordPress plugin versions 3.9.2 and earlier are affected. The plugin is identified by CPE reference to the 'addons-for-beaver-builder' WordPress plugin slug. Vendor advisory and detailed vulnerability information are available via Patchstack at https://patchstack.com/database/Wordpress/Plugin/addons-for-beaver-builder/vulnerability/wordpress-livemesh-addons-for-beaver-builder-plugin-3-9-2-cross-site-scripting-xss-vulnerability?_s_id=cve.

Remediation

Update Livemesh Addons for Beaver Builder to a version newer than 3.9.2 as soon as available from the official WordPress plugin repository. Website administrators should navigate to WordPress Dashboard > Plugins > Installed Plugins, locate Livemesh Addons for Beaver Builder, and click 'Update Now' when a patched version is released. In the interim, restrict access to the plugin's content editing features to trusted administrators only, and disable the plugin if it is not actively in use. Consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/addons-for-beaver-builder for the exact patched version number and release timeline.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +0
POC: 0

Share

CVE-2025-62990 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy