The vulnerability arises from the WPBakery Page Builder Addons by Livemesh plugin’s AJAX handler `lvca_admin_ajax` which verifies only a nonce but does not enforce user capability checks. This missing authorization allows any authenticated user with Subscriber-level access or higher to submit arbitrary data to the plugin settings. The data is stored without adequate sanitization, enabling an attacker to inject malicious scripts that are served whenever an administrator views the plugin settings page or when any visitor loads the front‑end of the site. The weakness corresponds to CWE‑862. The result is a stored cross‑site scripting condition that compromises the confidentiality, integrity, and availability of the site for users who access the affected pages.

The affected product is Livemesh’s WPBakery Page Builder Addons for WordPress, all releases up to and including version 3.9.4. Users running these versions should verify their install and determine whether they are running any version <= 3.9.4.

The CVSS score of 6.4 indicates a moderate severity vulnerability; the EPSS score is not available, and the issue is not listed in the CISA KEV catalog. The likely attack vector is via the public AJAX endpoint, where an authenticated Subscriber or higher user can trigger exploitation. Because the attacker must be logged in, the exploitation surface is limited to users with legitimate WordPress accounts, but the impact can reach site administrators and all site visitors who view the affected pages. While the EPSS data is unavailable, the missing authorization check and stored XSS nature suggest that exploitation could occur if a malicious script is injected into a configuration value that is subsequently rendered without escaping.