CVE-2026-3897
Description
The Livemesh Addons for Beaver Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the labb_admin_ajax AJAX action in all versions up to, and including, 3.9.2 due to missing authorization checks and insufficient input sanitization. The AJAX handler verifies a nonce but does not check user capabilities. This makes it possible for authenticated attackers with Subscriber-level access and above to modify plugin settings and inject malicious scripts that execute when administrators access the plugin settings page or when any user visits the frontend.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Livemesh Addons for Beaver Builder via missing capability checks in the AJAX handler, allowing low-privileged users to inject scripts.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in the Livemesh Addons for Beaver Builder plugin for WordPress, versions up to and including 3.9.2. The labb_admin_ajax AJAX action, defined in admin/admin-ajax.php, handles plugin settings saving but fails to perform a capability check after verifying a nonce [1], [2]. This allows any authenticated user with a valid nonce to modify plugin settings, including fields that are later output unsanitized on the plugin settings page and potentially on the frontend. The affected code path is reachable when an attacker knows or can obtain the nonce value (e.g., from a page rendered to subscribers).
Exploitation
An attacker must be an authenticated WordPress user with Subscriber-level access or higher. The attacker crafts a POST request to wp-admin/admin-ajax.php with the action=labb_admin_ajax parameter, a valid nonce (typically extracted from the plugin's admin page), and malicious JavaScript payloads in settings fields such as color or text inputs. The AJAX handler invokes labb_save_settings without checking the user's capability (e.g., manage_options), so the payload is persisted. No additional privileges or user interaction beyond being authenticated is required.
Impact
If an administrator visits the plugin settings page, the injected script executes in the context of the admin session, leading to full compromise. Additionally, any frontend page that displays these settings (e.g., styled outputs) may also execute the script for other visitors. This can result in session hijacking, defacement, or the injection of administrative actions.
Mitigation
The developer has not yet released a patched version. Available references do not mention a fixed version or release date [1], [2], [3]. As a workaround, site administrators can restrict access to the plugin settings page for untrusted users by applying custom role capabilities or using a Web Application Firewall rules. The plugin vendor should implement a capability check (e.g., current_user_can('manage_options')) in the AJAX callback.
- https://plugins.trac.wordpress.org/browser/addons-for-beaver-builder/tags/3.9.2/admin/views/settings.php#L137
- https://plugins.trac.wordpress.org/browser/addons-for-beaver-builder/tags/3.9.2/admin/admin-ajax.php#L64
- https://plugins.trac.wordpress.org/browser/addons-for-beaver-builder/tags/3.9.2/includes/helper-functions.php#L248
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=3.9.2
- Range: <=3.9.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- plugins.trac.wordpress.org/browser/addons-for-beaver-builder/tags/3.9.2/admin/admin-ajax.phpnvd
- plugins.trac.wordpress.org/browser/addons-for-beaver-builder/tags/3.9.2/admin/views/settings.phpnvd
- plugins.trac.wordpress.org/browser/addons-for-beaver-builder/tags/3.9.2/includes/helper-functions.phpnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/8bc41c61-1d8a-445f-bd70-3b14a40c89d4nvd
News mentions
0No linked articles in our index yet.