CVE-2026-3895

Vulnerability

The WPBakery Page Builder Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in all versions up to and including 3.9.4. The vulnerability resides in the lvca_admin_ajax AJAX action handler in admin-ajax.php [2]. The function verifies a nonce but does not perform any capability checks, allowing any authenticated user to trigger the action. The lvca_save_settings callback (and lvca_reset_settings) processes user-supplied input from $_POST or $_GET and saves it as plugin settings without adequate sanitization. When these settings are later rendered on the plugin settings page [1] or in frontend shortcodes, the unsanitized input is output unfiltered, resulting in stored XSS.

Exploitation

An attacker needs a WordPress account with at least Subscriber-level access. The attacker crafts a POST request to /wp-admin/admin-ajax.php with parameters: action=lvca_admin_ajax, func=lvca_save_settings, nonce=<valid_nonce>, and malicious payloads in the settings fields (e.g., '>). The nonce is required but is accessible to authenticated users because it is localized in the admin footer. No additional CSRF protection exists beyond the nonce. The attacker can trigger the request from the browser without further interaction. The injected script is stored in the plugin settings and executes when an administrator visits the plugin settings page or when any user views a page that renders the affected settings (e.g., color fields).

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session cookie theft, keylogging, defacement of the admin interface, or redirection to malicious sites. If the injected script is rendered on the frontend (e.g., in a color attribute), all site visitors are affected. The attacker does not gain direct administrative access but can leverage the XSS to perform actions on behalf of an administrator (e.g., creating new admin users). The scope of impact includes both the admin area and the public-facing site.

Mitigation

As of the publication date, no patched version has been released. The vendor has not provided a fix. Users should remove or disable the plugin until an update is available. There is no known workaround available in the existing references. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. Monitor the plugin's page for version 3.9.5 or later, which should include proper authorization checks and input sanitization.