Description
Contributor Cross Site Scripting (XSS) in Livemesh Addons for WPBakery Page Builder <= 3.9.4 versions.
Published: 2026-07-02
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A contributor‑level Cross Site Scripting flaw exists in Livemesh Addons for WPBakery Page Builder plugin versions up to 3.9.4. Unsanitized input supplied by users with contributor privileges can be stored and rendered in the page content, allowing an attacker to inject arbitrary JavaScript that executes in visitors’ browsers. This can result in session hijacking, credential theft, defacement, or redirection of users to malicious sites. The weakness follows the classic reflection or storage of malicious code pattern identified as CWE‑79.

Affected Systems

The vulnerability affects WordPress installations running the Livemesh Addons for WPBakery Page Builder plugin from Livemesh, specifically all releases up to and including version 3.9.4. Any site using these versions is therefore vulnerable.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score is not available, implying no clear evidence of widespread exploitation. Because the flaw requires a contributor‑level account to inject malicious content, the risk is confined to sites that allow such roles. The vulnerability is not listed in the CISA KEV catalog, and no public exploit has been reported, yet remediation is advisable to prevent potential client‑side attacks.

Generated by OpenCVE AI on July 2, 2026 at 15:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Livemesh Addons for WPBakery Page Builder to version 3.9.5 or newer, which removes the XSS flaw.
  • Restrict contributor accounts to only the capabilities required for their work, eliminating the possibility of inserting executable code.
  • Deploy a site‑wide content‑security‑policy header to mitigate potential XSS exploitation if the vulnerability persists temporarily.

Generated by OpenCVE AI on July 2, 2026 at 15:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 02 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Description Contributor Cross Site Scripting (XSS) in Livemesh Addons for WPBakery Page Builder <= 3.9.4 versions.
Title WordPress Livemesh Addons for WPBakery Page Builder plugin <= 3.9.4 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-07-02T15:52:41.535Z

Reserved: 2026-06-25T08:04:34.980Z

Link: CVE-2026-57754

cve-icon Vulnrichment

Updated: 2026-07-02T13:33:22.126Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T15:15:03Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')