PowerPack Lite for Beaver Builder < 1.2.9.3 - Reflected Cross-Site Scripting
Description
PowerPack Lite for Beaver Builder plugin <=1.2.9.2 has a reflected XSS via unsanitized tab parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
PowerPack Lite for Beaver Builder plugin <=1.2.9.2 has a reflected XSS via unsanitized tab parameter.
Vulnerability
The PowerPack Lite for Beaver Builder plugin for WordPress versions before 1.2.9.3 fails to sanitize and escape the tab parameter before outputting it back in an admin page, leading to a reflected Cross-Site Scripting (XSS) vulnerability. [1]
Exploitation
An attacker can exploit this by crafting a malicious URL with a payload in the tab parameter and enticing an authenticated admin user to click it. No special privileges required beyond the admin visiting the link. [1]
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the admin's browser, potentially leading to session hijacking, defacement, or theft of sensitive information. [1]
Mitigation
Update to version 1.2.9.3 or later. The fix was released on 2022-01-12 as per WPScan timeline. [1]
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- WordPress/PowerPack Lite for Beaver Builderdescription
- Range: <1.2.9.3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The plugin does not sanitize and escape the `tab` parameter before outputting it back in an admin page, allowing reflected XSS."
Attack vector
An attacker can craft a malicious URL containing a JavaScript payload in the `tab` parameter. When a logged-in administrator visits this URL, the unsanitized `tab` parameter is reflected back into the admin page, causing the attacker's script to execute in the victim's browser session [ref_id=1]. This is a reflected Cross-Site Scripting (XSS) attack [CWE-79] that requires the victim to click a crafted link.
Affected code
The advisory does not specify the exact file or function name. The vulnerability exists in the PowerPack Lite for Beaver Builder plugin's admin page handling of the `tab` parameter. The fix was applied in version 1.2.9.3 via changeset 2655379 on the WordPress plugin Trac [ref_id=1].
What the fix does
The advisory states the fix was applied in version 1.2.9.3, but does not include the patch diff. The remediation involves properly sanitizing and escaping the `tab` parameter before outputting it back into the admin page, which prevents malicious JavaScript from being executed [ref_id=1].
Preconditions
- authThe attacker must trick a logged-in WordPress administrator into visiting a crafted URL.
- configThe PowerPack Lite for Beaver Builder plugin must be installed and active with a version prior to 1.2.9.3.
- authThe victim must have administrative access to the WordPress admin panel.
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- plugins.trac.wordpress.org/changeset/2655379mitrex_refsource_CONFIRM
- wpscan.com/vulnerability/564a66d5-7fab-4de0-868a-e19466a507afmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.