CVE-2024-5663
Description
The Cards for Beaver Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Cards widget in all versions up to, and including, 1.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Cards for Beaver Builder plugin up to v1.1.3 allows contributors+ to inject arbitrary scripts via unsanitized widget attributes.
Vulnerability
Analysis
What the vulnerability is
The Cards for Beaver Builder plugin for WordPress [1] contains a stored Cross-Site Scripting (XSS) vulnerability in all versions up to and including 1.1.3. The root cause is insufficient input sanitization and output escaping on user-supplied attributes in the plugin's Cards widget [description]. This allows malicious input to be stored and later rendered unsafely in the browser.
Attack exploitation
To exploit this vulnerability, an attacker must be an authenticated user with at least contributor-level access to the WordPress site. The attacker can inject arbitrary web scripts (such as JavaScript) into the Cards widget's attributes. When a page containing the malicious card is accessed by another user (including administrators or regular visitors), the injected script executes in their browser session [description].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement of the site, redirection to malicious sites, or theft of sensitive information like login cookies. The CVSS score of 6.4 (Medium) reflects the need for some level of authenticated access but the potential for wide impact once executed [Severity].
Mitigation
The vendor has not released a patched version; users should update if a fix becomes available. As a workaround, contributor and higher roles should be carefully audited, and output escaping should be reviewed. No evidence of inclusion in CISA KEV was noted at publication.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- cpe:2.3:a:ultimateaddons:cards_for_beaver_builder:*:*:*:*:*:wordpress:*:*Range: <1.1.4
- Range: <=1.1.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- plugins.trac.wordpress.org/browser/bb-bootstrap-cards/trunk/bb-bootstrap-cards-module/includes/frontend.phpnvdPatch
- plugins.trac.wordpress.org/changesetnvdPatch
- www.wordfence.com/threat-intel/vulnerabilities/id/55ff923e-9d04-4ce7-b6d6-165fa4fc5433nvdThird Party Advisory
- wordpress.org/plugins/bb-bootstrap-cards/nvdProduct
News mentions
0No linked articles in our index yet.