Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Livemesh Addons for Beaver Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the labb_admin_ajax AJAX action in all versions up to, and including, 3.9.2 due to missing authorization checks and insufficient input sanitization. The AJAX handler verifies a nonce but does not check user capabilities. This makes it possible for authenticated attackers with Subscriber-level access and above to modify plugin settings and inject malicious scripts that execute when administrators access the plugin settings page or when any user visits the frontend.
AnalysisAI
Stored Cross-Site Scripting in the Livemesh Addons for Beaver Builder WordPress plugin (all versions ≤3.9.2) allows authenticated attackers with Subscriber-level access or above to inject persistent malicious scripts via the labb_admin_ajax AJAX endpoint. The root flaw is a missing capability check - the handler validates a WordPress nonce (confirming form origin) but never verifies whether the requesting user holds privileges to modify plugin settings, effectively granting any registered user write access to plugin configuration. Injected scripts execute in the browser of administrators who visit the settings page or against any frontend visitor, enabling session hijacking or privilege escalation against admins. No public exploit code or active exploitation has been identified at time of analysis; EPSS is very low at 0.03% (8th percentile).
Technical ContextAI
The vulnerability resides in the labb_admin_ajax AJAX action registered by the plugin, with the handler logic observable in the publicly accessible Trac source at admin/admin-ajax.php line 64, with downstream effects in admin/views/settings.php line 137 and includes/helper-functions.php line 248. WordPress nonce verification (check_ajax_referer) is present, which guards against CSRF but provides no authorization - it only confirms the request originated from a legitimate WordPress-generated form token, not that the actor has the capability to perform the action. The missing control is a WordPress capability check (e.g., current_user_can('manage_options')). Combined with absent or insufficient input sanitization before data is persisted to plugin settings and later rendered in the DOM, this produces a Stored XSS condition. The CWE-862 (Missing Authorization) root cause is compounded by the injection sink, but the authorization gap is the primary enabler. The plugin extends the Beaver Builder page-builder ecosystem, meaning settings rendered on the frontend may reach a broad visitor audience beyond just admins.
RemediationAI
No vendor-released patched version is confirmed in the available intelligence data - all NVD references point to the 3.9.2 source (the vulnerable release), and no successor version number is cited. WordPress site operators should monitor the official plugin repository and the Wordfence advisory at wordfence.com/threat-intel/vulnerabilities/id/8bc41c61-1d8a-445f-bd70-3b14a40c89d4 for a patched release and update immediately upon availability. As a compensating control, sites should disable open user registration if it is not operationally required, since the attack requires a minimum of Subscriber-level account access - restricting new account creation eliminates the most common attacker onboarding path, though it does not protect against already-registered low-privilege users. Web Application Firewall (WAF) rules targeting the labb_admin_ajax action parameter can block exploitation payloads; Wordfence's own firewall may provide a virtual patch. Administrators should audit plugin settings for unexpected script content immediately if the site permits open registration. Deactivating the plugin until a fix is available is the safest option if Beaver Builder Builder addons functionality is non-critical.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-862 – Missing Authorization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32101
GHSA-pwmq-vp5f-f6p3