Description
The Beaver Builder Page Builder – Drag and Drop Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `js` Global Settings parameter in all versions up to, and including, 2.10.0.5 due to missing capability checks on save_global_settings() function and insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Custom-level access and above who have been granted beaver builder access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-02-11
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The Beaver Builder Page Builder – Drag and Drop Website Builder plugin is vulnerable to stored XSS through the global settings field ‘js’. The flaw arises because the function that saves global settings performs no capability checks and does not properly sanitize or escape the input. As a result, an authenticated user with Custom‑level access or higher who has been granted Beaver Builder permissions can inject arbitrary JavaScript. Once stored, the script executes whenever any visitor loads a page that includes the affected global settings, enabling attackers to deface pages, steal credentials, or conduct further attacks against site users.

Affected Systems

WordPress sites running the Beaver Builder Page Builder – Drag and Drop Website Builder plugin, versions 2.10.0.5 and earlier. The vulnerability affects all installations that use the plugin with any Global Settings configuration.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity, but the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers need an authenticated account with Custom‑level or higher access, and the ability to edit Beaver Builder Global Settings, to exploit the stored XSS. No additional conditions are reported; the flaw can be triggered solely by submitting a malicious payload to the ‘js’ field through the normal settings interface.

Generated by OpenCVE AI on April 15, 2026 at 18:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Beaver Builder plugin to version 2.10.0.6 or later, which removes the missing capability check and adds proper input sanitization and output escaping.
  • If an immediate upgrade is not possible, revoke Custom‑level and higher Beaver Builder capabilities from all users that are not absolutely required, or limit those users to read‑only access so they cannot edit global settings.
  • Ensure that no other plugins or custom code can programmatically write to the Beaver Builder global settings without proper capability checks.

Generated by OpenCVE AI on April 15, 2026 at 18:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Feb 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Beaverbuilder
Beaverbuilder beaver Builder Page Builder – Drag And Drop Website Builder
Wordpress
Wordpress wordpress
Vendors & Products Beaverbuilder
Beaverbuilder beaver Builder Page Builder – Drag And Drop Website Builder
Wordpress
Wordpress wordpress

Wed, 11 Feb 2026 01:45:00 +0000

Type Values Removed Values Added
Description The Beaver Builder Page Builder – Drag and Drop Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `js` Global Settings parameter in all versions up to, and including, 2.10.0.5 due to missing capability checks on save_global_settings() function and insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Custom-level access and above who have been granted beaver builder access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Beaver Builder Page Builder – Drag and Drop Website Builder <= 2.10.0.5 - Authenticated (Custom+) Missing Authorization to Stored Cross-Site Scripting via Global Settings
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Beaverbuilder Beaver Builder Page Builder – Drag And Drop Website Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:03:22.254Z

Reserved: 2026-01-20T13:57:17.987Z

Link: CVE-2026-1231

cve-icon Vulnrichment

Updated: 2026-02-11T15:37:18.058Z

cve-icon NVD

Status : Deferred

Published: 2026-02-11T02:15:58.297

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1231

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T18:45:11Z

Weaknesses