CVE-2026-2030

Vulnerability

The WPBakery Page Builder Addons by Livemesh plugin for WordPress (versions up to 3.9.4) is vulnerable to Stored Cross-Site Scripting (XSS) in the [lvca_carousel] and [lvca_posts_carousel] shortcodes. The plugin uses wp_json_encode() to encode shortcode attributes and outputs them into single-quoted data-settings HTML attributes without applying esc_attr(). This allows an attacker to break out of the attribute by injecting a single quote. The vulnerability exists in all versions up to and including 3.9.4 [1][2].

Exploitation

An authenticated attacker with at least Contributor-level access can create or edit a post/page containing the vulnerable shortcode. By crafting a malicious value for a shortcode attribute (e.g., posts_per_page or carousel_settings), the attacker can inject a single quote to break out of the data-settings attribute and insert arbitrary JavaScript. The injected script is stored in the database and executed when any user views the compromised page. No additional user interaction is required beyond viewing the page.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement, redirection to malicious sites, or theft of sensitive information. The attack is stored (persistent) and affects all users who visit the affected page, including administrators.

Mitigation

The vendor has not yet released a patched version as of the publication date (2026-05-27). Users should update to a fixed version once available. As a workaround, administrators can restrict Contributor-level access or disable the vulnerable shortcodes via a custom plugin or code snippet. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog at this time.