PowerPack Lite for Beaver Builder <= 1.3.0.5 - Reflected Cross-Site Scripting via Navigate Parameter

Vulnerability

The PowerPack Lite for Beaver Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) in all versions up to, and including, 1.3.0.5. The vulnerability occurs via the navigate parameter in the admin settings templates file (includes/admin-settings-templates.php around line 62). The plugin fails to properly sanitize input and escape output, allowing unauthenticated attackers to inject arbitrary web scripts. The fixed version is 1.3.1, released on 2024-12-07 [1][2].

Exploitation

An unauthenticated attacker can craft a malicious link containing a specially crafted navigate parameter. The attacker must trick an administrative user into clicking the link (user interaction is required). No authentication or special network position is needed to deliver the payload. When the admin clicks the link, the injected script executes in the context of the admin's browser session.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the admin's browser. This can lead to session hijacking, defacement of admin pages, or theft of sensitive information like cookies or nonces. The attack is reflected, so the script runs in the admin's session but does not persist in the database or file system.

Mitigation

The vulnerability is fixed in version 1.3.1 of the PowerPack Lite for Beaver Builder plugin, released on 2024-12-07 [1]. Users should update to version 1.3.1 immediately. No workarounds are documented in the available references. The plugin is not listed on the CISA KEV catalog at the time of writing.