Skip to main content

Livemesh Addons EUVDEUVD-2026-32101

| CVE-2026-3897 MEDIUM
Missing Authorization (CWE-862)
2026-05-27 security@wordfence.com GHSA-pwmq-vp5f-f6p3
6.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 27, 2026 - 22:24 vuln.today
CVE Published
May 27, 2026 - 08:16 nvd
MEDIUM 6.4

DescriptionCVE.org

The Livemesh Addons for Beaver Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the labb_admin_ajax AJAX action in all versions up to, and including, 3.9.2 due to missing authorization checks and insufficient input sanitization. The AJAX handler verifies a nonce but does not check user capabilities. This makes it possible for authenticated attackers with Subscriber-level access and above to modify plugin settings and inject malicious scripts that execute when administrators access the plugin settings page or when any user visits the frontend.

AnalysisAI

Stored Cross-Site Scripting in the Livemesh Addons for Beaver Builder WordPress plugin (all versions ≤3.9.2) allows authenticated attackers with Subscriber-level access or above to inject persistent malicious scripts via the labb_admin_ajax AJAX endpoint. The root flaw is a missing capability check - the handler validates a WordPress nonce (confirming form origin) but never verifies whether the requesting user holds privileges to modify plugin settings, effectively granting any registered user write access to plugin configuration. Injected scripts execute in the browser of administrators who visit the settings page or against any frontend visitor, enabling session hijacking or privilege escalation against admins. No public exploit code or active exploitation has been identified at time of analysis; EPSS is very low at 0.03% (8th percentile).

Technical ContextAI

The vulnerability resides in the labb_admin_ajax AJAX action registered by the plugin, with the handler logic observable in the publicly accessible Trac source at admin/admin-ajax.php line 64, with downstream effects in admin/views/settings.php line 137 and includes/helper-functions.php line 248. WordPress nonce verification (check_ajax_referer) is present, which guards against CSRF but provides no authorization - it only confirms the request originated from a legitimate WordPress-generated form token, not that the actor has the capability to perform the action. The missing control is a WordPress capability check (e.g., current_user_can('manage_options')). Combined with absent or insufficient input sanitization before data is persisted to plugin settings and later rendered in the DOM, this produces a Stored XSS condition. The CWE-862 (Missing Authorization) root cause is compounded by the injection sink, but the authorization gap is the primary enabler. The plugin extends the Beaver Builder page-builder ecosystem, meaning settings rendered on the frontend may reach a broad visitor audience beyond just admins.

RemediationAI

No vendor-released patched version is confirmed in the available intelligence data - all NVD references point to the 3.9.2 source (the vulnerable release), and no successor version number is cited. WordPress site operators should monitor the official plugin repository and the Wordfence advisory at wordfence.com/threat-intel/vulnerabilities/id/8bc41c61-1d8a-445f-bd70-3b14a40c89d4 for a patched release and update immediately upon availability. As a compensating control, sites should disable open user registration if it is not operationally required, since the attack requires a minimum of Subscriber-level account access - restricting new account creation eliminates the most common attacker onboarding path, though it does not protect against already-registered low-privilege users. Web Application Firewall (WAF) rules targeting the labb_admin_ajax action parameter can block exploitation payloads; Wordfence's own firewall may provide a virtual patch. Administrators should audit plugin settings for unexpected script content immediately if the site permits open registration. Deactivating the plugin until a fix is available is the safest option if Beaver Builder Builder addons functionality is non-critical.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

EUVD-2026-32101 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy