Description
The Livemesh Addons for Beaver Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `[labb_pricing_item]` shortcode's `title` and `value` attributes in all versions up to, and including, 3.9.2 due to insufficient input sanitization and output escaping. Specifically, the plugin uses `htmlspecialchars_decode()` after `wp_kses_post()`, which decodes HTML entities back into executable code after sanitization has occurred. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-02-26
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS) via shortcode attributes
Action: Patch Now
AI Analysis

Impact

The Livemesh Addons for Beaver Builder plugin for WordPress contains a Stored XSS flaw in the `[labb_pricing_item]` shortcode. When the shortcode’s `title` and `value` attributes are supplied, the plugin first sanitizes the input with `wp_kses_post()` and then undecodes it with `htmlspecialchars_decode()`. This bypasses the sanitization, allowing an authenticated Contributor or higher to inject arbitrary JavaScript that executes whenever any user views the page. An attacker could steal session cookies, deface content, or perform other malicious client‑side actions, breaking confidentiality, integrity, and potentially availability of the site. The flaw aligns with CWE‑79.

Affected Systems

All installations of the Livemesh Addons for Beaver Builder plugin with version 3.9.2 or earlier are affected. The vulnerability exists in the plugin’s core module that processes the `[labb_pricing_item]` shortcode within WordPress pages and posts.

Risk and Exploitability

The CVSS v3 base score is 6.4, indicating moderate severity. The EPSS score is below 1 %, reflecting a low probability that the vulnerability is actively exploited at present, and the flaw is not yet listed in the CISA KEV catalog. An attacker must be authenticated with Contributor‑level or higher privileges to inject malicious payloads. Once injected, the script runs for all visitors to the affected page, making the risk of credential theft or defacement significant if the attacker gains such access.

Generated by OpenCVE AI on April 15, 2026 at 18:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Livemesh Addons for Beaver Builder to a version newer than 3.9.2 that contains the XSS fix.
  • Edit any pages or posts containing the `[labb_pricing_item]` shortcode to remove or replace injected JavaScript, and resave the content to ensure sanitization is re‑applied.
  • Until a patch is applied, restrict Contributor and higher roles from editing content that uses the shortcode, or disable the shortcode altogether, to prevent further injections.

Generated by OpenCVE AI on April 15, 2026 at 18:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 28 Feb 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Livemesh
Livemesh livemesh Addons For Beaver Builder
Wordpress
Wordpress wordpress
Vendors & Products Livemesh
Livemesh livemesh Addons For Beaver Builder
Wordpress
Wordpress wordpress

Thu, 26 Feb 2026 02:15:00 +0000

Type Values Removed Values Added
Description The Livemesh Addons for Beaver Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `[labb_pricing_item]` shortcode's `title` and `value` attributes in all versions up to, and including, 3.9.2 due to insufficient input sanitization and output escaping. Specifically, the plugin uses `htmlspecialchars_decode()` after `wp_kses_post()`, which decodes HTML entities back into executable code after sanitization has occurred. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Livemesh Addons for Beaver Builder <= 3.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' and 'value' Shortcode Attributes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Livemesh Livemesh Addons For Beaver Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:05:52.892Z

Reserved: 2026-02-05T21:53:20.776Z

Link: CVE-2026-2029

cve-icon Vulnrichment

Updated: 2026-02-26T15:12:43.320Z

cve-icon NVD

Status : Deferred

Published: 2026-02-26T02:16:24.723

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2029

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T18:15:10Z

Weaknesses