CVE-2026-24594

The vulnerability is a Stored Cross-Site Scripting (XSS) issue in the Livemesh Addons for WPBakery Page Builder plugin for WordPress, affecting versions from n/a through 3.9.4. The root cause is improper neutralization of user input during web page generation, where user-supplied input is not sanitized before being stored and later rendered in pages [1].

Exploitation requires a privileged user (e.g., an editor or admin) to perform an action such as clicking a malicious link or submitting a crafted form. Once triggered, the injected script is stored on the server and executed when other users (including visitors) access the affected page. No direct interaction with the attacker is not needed for the stored payload to fire [1].

An attacker can inject arbitrary JavaScript, HTML, or other payloads. This can lead to redirects, advertisement injection, data theft, or defacement. The CVSS v3 score of 5.9 (Medium) reflects the need for user interaction and privileges, but the stored nature increases the potential reach [1].

As of the publication date, the vendor advisories recommend updating the plugin to a patched version. If immediate update is not possible, users should restrict access to the plugin's settings and consider asking their hosting provider for assistance. The vulnerability is listed as used in mass-exploit campaigns, so prompt action is advised [1].