Description
The Beaver Builder Page Builder – Drag and Drop Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'settings[js]' parameter in versions up to, and including, 2.10.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-04-08
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The Beaver Builder Page Builder – Drag and Drop Website Builder plugin for WordPress contains insufficient input sanitization and output escaping for the 'settings[js]' parameter. This flaw allows an authenticated attacker with author-level privileges to inject arbitrary JavaScript code that is stored server‑side and executed in each visitor’s browser when they load the affected page. The injected scripts can be used to steal session data, deface the site, or run additional malicious payloads, thereby compromising user confidentiality and integrity.

Affected Systems

All WordPress sites that are running Beaver Builder Page Builder – Drag and Drop Website Builder versions 2.10.1.1 and earlier are potentially affected. The vulnerability applies to the plugin’s drag‑and‑drop page editor where authors can modify page settings, and any site that has not yet upgraded to a patched release.

Risk and Exploitability

The score of 6.4 places the vulnerability in the medium severity range. The exploit requires the attacker to be authenticated as an author or higher and to possess the ability to edit page settings. Once the malicious script is stored, it is automatically delivered to any visitor of the vulnerable page, making it an easily exploitable threat for sites that rely on the upgraded author role. The vulnerability is not yet listed in the CISA KEV catalog, and there is no EPSS value available to gauge the current exploitation probability.

Generated by OpenCVE AI on April 8, 2026 at 12:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the current version of Beaver Builder Page Builder – Drag and Drop Website Builder on the WordPress admin interface.
  • Update the plugin to the latest release (2.10.1.2 or later) where the 'settings[js]' sanitization issue has been fixed.
  • Verify that no injected scripts remain by inspecting the page source on a clean test site.
  • If an immediate update is not possible, limit author and higher‑level permissions to read‑only where feasible, or temporarily disable the plugin until a patch can be applied.

Generated by OpenCVE AI on April 8, 2026 at 12:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Beaverbuilder
Beaverbuilder beaver Builder Page Builder – Drag And Drop Website Builder
Wordpress
Wordpress wordpress
Vendors & Products Beaverbuilder
Beaverbuilder beaver Builder Page Builder – Drag And Drop Website Builder
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 11:45:00 +0000

Type Values Removed Values Added
Description The Beaver Builder Page Builder – Drag and Drop Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'settings[js]' parameter in versions up to, and including, 2.10.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Beaver Builder Page Builder – Drag and Drop Website Builder <= 2.10.1.1 - Authenticated (Author+) Stored Cross-Site Scripting via 'settings[js]'
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Beaverbuilder Beaver Builder Page Builder – Drag And Drop Website Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:55:17.525Z

Reserved: 2026-02-13T18:30:31.731Z

Link: CVE-2026-2481

cve-icon Vulnrichment

Updated: 2026-04-08T15:59:23.869Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T12:16:21.280

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-2481

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:39:48Z

Weaknesses