Impact
A contributor‑level Cross Site Scripting flaw exists in Livemesh Addons for WPBakery Page Builder plugin versions up to 3.9.4. Unsanitized input supplied by users with contributor privileges can be stored and rendered in the page content, allowing an attacker to inject arbitrary JavaScript that executes in visitors’ browsers. This can result in session hijacking, credential theft, defacement, or redirection of users to malicious sites. The weakness follows the classic reflection or storage of malicious code pattern identified as CWE‑79.
Affected Systems
The vulnerability affects WordPress installations running the Livemesh Addons for WPBakery Page Builder plugin from Livemesh, specifically all releases up to and including version 3.9.4. Any site using these versions is therefore vulnerable.
Risk and Exploitability
The CVSS score of 6.5 indicates moderate severity, while the EPSS score is not available, implying no clear evidence of widespread exploitation. Because the flaw requires a contributor‑level account to inject malicious content, the risk is confined to sites that allow such roles. The vulnerability is not listed in the CISA KEV catalog, and no public exploit has been reported, yet remediation is advisable to prevent potential client‑side attacks.
OpenCVE Enrichment